[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Spam detection system proposal

David F. Skoll said:

> 1) Spammers want to send out lots of messages cheaply, and don't
> particularly care if any one message gets through.  Legitimate mass
> mailers want all of their messages to get through.
> 
> 2) This is just a hunch, but I bet it's true:  Spammers probably have a
> higher proportion of bad addresses on their lists than mass-mailers.  We
> can help ensure this by poisoning their lists with web pages of fake
> addresses.
> 
> The analogy to IDS software is apt here.  Condition (1) can be detected
> with a purely local process:  You tempfail mail from unknown senders the
> first time.  (Better, tempfail based on sender-recipient pairs).  I already
> do this, and it reduces spam by a significant percentage (20-25%) with very
> little cost to me.
> 
> Condition (2) cannot be detected purely locally, but I have a proposal
> that can make it possible to detect (2).  Just as we have central clearing
> houses for checksums, we can build a system of central clearing houses
> for success/failure counts.
> 
> Imagine modifying MTA software so that:
> 
> - If a RCPT TO: succeeds, it sends a note saying:  "Sender xyz@domain.net
>   from IP address a.b.c.d sent a successful RCPT TO: command"
> 
> - If a RCPT TO: fails, a similar failure note is sent.
> 
> - Possibly, we could augment the scheme so that mail to a honeypot address
>   is noted and counts for more than a simple failure -- we could weight
>   the various addresses.
> 
> The clearing house would maintain the success/failure rate over a
> sliding window of 24 hours or so.

This is a very interesting idea.   It does not even need to hook into
the MTA, just tail the log files or log database for that MTA, and report
stats from that.

To avoid this, spammers would have to

  (a) start using valid, non-forged, non-joe-job From: or Errors-To:
  addresses to collect "user unknown" DSNs, so they could clean up their
  lists;

  (b) spend money on inbound SMTP bandwidth to support (a), hence hitting
  their pockets.

A very nice, very simple idea.   It's vaguely related to another idea I've
heard, regarding a lookup database of "addresses that have bounced at my
domain recently", but that idea might provide have a side-effect of
providing more incentive for spammers to joe-job (haven't quite thought it
through).  This one, however, does not.

issues I can see:

- an expiry of 1 day is too short; I would say 3-5 would be better.

- what about randomised sender addresses?  Some spamtools will generate
  a new random From: addr for each recipient.  I fear the relay IP
  address is the only trustworthy source id that can be used...

--j.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg