Re: [Asrg] hashcash, was My take on e-postage

[Jonathan Morton <chromi at chromatix.demon.co.uk>]

> > > 80% of spam detected by this method (it's catching approximately 
> > > 65-70% of all of our spam) is coming from detections less than 4 
> > > days old.  90% < 6 days old.  95% < 12 days old.
> > Can you tell us the number of hosts in each category? And how long 
> > hosts
> > remain infected? That would give us an idea of the gross flows into 
> > and
> > out of infected status.
> Here's a table:
>
> Age (days)   IP Count/cum%  Hit Count/cum%
>          0      67974/ 5.0     174862/25.4
>          1      65816/ 9.8     184589/52.1
>          2      54233/13.8     118338/69.3
>          3      48207/17.4      50991/76.7
>          4      38517/20.2      45567/83.3
<snip>

>         24      32483/85.7       1000/98.6
>         25      38186/88.5       4719/99.3
>         26      42249/91.6       1393/99.5
>         27      41198/94.7       1816/99.7
>         28      39267/97.6       1487/99.9
>         29      33023/100.0       396/100.0
>         30        261/100.0         0/100.0
>     Totals    1360713/ 100     689529/ 100
>
> We expire after 30 days.
I don't get it.  Why is the hit count for some days so much lower than 
the host count?

Anyway, assuming your figures are correct, that indicates that 2/3rds 
of the hosts are rolling around to the beginning of the list again, 
because they're being detected as new immediately after being expired.  
That in turn seems to suggest 25k new zombies per day, rather than 70k. 
 The total zombie pool is probably a more reliable figure, which I'll 
round up to 1500k.

Assuming they're maximally used for sending spam for about 4 days on 
average, that's a sending pool of about 100k machines.  If each has an 
average 128Kbit DSL uplink, that's equivalent to about 8000 T1s, each 
at 30k spams per second, totalling 240M spams per second.  Rather a lot 
of bandwidth to draw upon, isn't it?

Now let's assume that hashcash is widely deployed, but that the 
spammers have now set up a reasonably efficient P2P network between the 
zombies, allowing even the blacklisted ones to generate stamps for the 
others.  Most zombies won't be screaming top-of-the-line boxes, rather 
there'll be a lot of 1-CPU Celerons and the like, so say 4 seconds per 
20-bit collision on average.

With 1.5M of them churning away, that's 375k spams a second - a massive 
3 orders of magnitude reduction compared to 240M, even if it is still 
enough to saturate 12 T1s.

So, OK, this is definitely going to turn off the non-hardcore spammers. 
 Those that are left will be the ones to send the law after.  Theft of 
service and computer intrusion on this kind of scale is a crime, no 
matter whether the actual spam is.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi@chromatix.demon.co.uk
website:  http://www.chromatix.uklinux.net/
tagline:  The key to knowledge is not to rely on people to teach you it.


_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg