Re: [ASRG] Re: Spam send/receive ratio

["Alan DeKok" <aland at ox.org>]

"Chris" <asrg at rebel.com.au> wrote:
> For the recipient MTA to perform such tests you *MUST* implement some (huge)
> mail monitoring service that monitors mail from every conceivable address.

  Simply asserting that as true doesn't make it true.

  Most domains have a non-uniform distribution of email across sending
domains.  This means that they probably need to keep only a small
number of records (100's to 1000's) which each have (domain, volume,
whatever) information in them.  These records would contain only the
highest volume senders, and everyone else would be lumped into the
"less than X messages a day" category.

  If you see sudden spikes from domains which are listed, you can
catch the spike by looking at the recorded past behavior.  If you see
sudden spikes from domains which are not listed, you can catch the
spike by noticing that the domain is suddenly over the threshold of "X
messages a day".

  For local users, the same method can be used, with similar benefits.


  I won't respond to the rest of your message, because it's predicated
on a invalid assumptions, or on a badly designed system.

> If you think a recipient MTA volume check will work. go ahead and design a
> system. just psuedo code it and we will see where we can go from there.

  The system described above will reliably catch spikes of traffic.
What the MTA does after that is it's responsibility.  I can think of a
number of ways that knowledge of traffic spikes can be used in an
antispam system.

  For details, see the archives.  ISP's have described here how they
use traffic spikes to catch spam.

  Alan DeKok.

_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg