David F. Skoll wrote:
On Wed, 5 Mar 2003, Chris Lewis wrote:
The question is associating the messages to get your counts.
A spammer merely needs to have a big set of open proxies/relays and seriously randomize froms, and you can no longer generate counts of anything because you can't associate report "a" with report "b".
Which isn't hard. If you refuse to get your fingers dirty, you just have to download one of the open relay/proxy blacklists... But if you don't mind getting your fingers dirty, just point a scanner at Brazil. Thousands within a few hours.It is quite expensive to gather a large set of open relays. If you're sending out 500K messages, and you want to limit it to 1,000 messages/IP, you need to find 500 open relays.
Also, a lot of spammers are pretty unsophisticated and send from DSL or cable-modem lines. This scheme would get them pretty fast.
You're seeing the open relays and proxies, not the spammers themselves.
Based on IPs and Froms, it'd be no better, and considerably worse once the spammers notice and evolve.
We can already see the spammers doing this. My autobitch bot routinely shows me specific spams that have been sent from several hundred or even a thousand different IPs in one day. And this is the viewpoint from just _one_ MTA...We need experiments to tell for sure.