[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Random thought

Subject: Re: [Asrg] Random thought
From: "Chris Lewis" <clewis@nortelnetworks.com>
Date: Wed, 12 Mar 2003 16:05:56 -0500
Cc: asrg@ietf.org
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <200303121725.h2CHPkC5001367@qadgop.stewart.org> <x43clsz9e9.fsf@footbone.midwestcs.com>
Sender: asrg-admin@ietf.org
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20021120 Netscape/7.01

wayne wrote:

If you silently accept email with invalid recipients, you may well end
up in the same position as Alan DeKok.  (see
http://www.striker.ottawa.on.ca/ and his several million spams per
day)  Spammers often have more bandwidth than you do, and often care
less about wasting it (since it is often stolen bandwidth.)  Trying to
get spammers to waste their bandwidth by consuming yours doesn't sound
like a good idea to me.

Slight correction. Striker never did that AFAIK. Striker always rejected, via either outright denial of connection or inline rejects rather than bouncing or accepting. The unproven supposition is that his problem is because of one or two malfunctioning dictionary runs. There's on the order of 1500 or so unique destinations in the load.

To an example more to the point and closer to my heart: our spamtraps didn't even have MXes for two years. Spam load before the MXes was removed was on the order of 50,000/day. Spam load after the MXes was restored is on the close order of 800,000/day and growing slowly day-by-day. There's about 10,000 unique addresses in the spam load.

Note: _our_ spamtrap accepts _any_ address (our spamtrap has a hardcoded "yes" to every question). Your supposition would suggest that it'd grow far faster than it is.

I think comparing our numbers with AOL and/or MSN would suggest that "late bouncing" isn't anywhere near the influence as you may think.

Remember, Millions CDs are write-only.

Similarly, I'm not sure that disabling the VRFY SMTP command is a good
idea.  Yes, the VRFY command can be easily used by spammers to do a
dictionary attack on your server, but if you don't let them do it the
"easy" way, they will likely do it the "hard" way by sending spam to
every possible email address.

Multiple "RCPT TO" then "QUIT" is the same as VRFY.

We don't see a lot of that on our spamtrap actually. What we see _vastly_ more of is "HELO/MAIL FROM/QUIT" same "MAIL FROM" all the time. God knows why they're doing that.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Real-world spam experiences
  - From: Alan DeKok
- Re: [Asrg] Random thought
  - From: wayne
- Re: [Asrg] Random thought
  - From: Vernon Schryver

References:
- Re: [Asrg] Random thought
  - From: lstewart
- Re: [Asrg] Random thought
  - From: wayne

Prev by Date: Re: [Asrg] Cert-based Spam Fighting (rant)
Next by Date: RE: [Asrg] RE: You say tomato, I say authentication
Previous by thread: Re: [Asrg] Random thought
Next by thread: Re: [Asrg] Random thought
Index(es):
- Date
- Thread