[In the message entitled "Re: Stealth Blocking" on May 24, 10:23, "Eric A. Hall" writes:]
Dave Rand wrote:
I'm not sure how effective rate limiting will be. Many spammers send one copy of the spam to an open relay, but use many (2 to 50) recipients.
Rate-shapers would also work on the relays. The idea is that if ISPs would implement a default rate-limit (let's say 4kb/s) that it wouldn't interfere with normal use. It would interfere with spam distribution because it would slow down the big runs dramatically.
The negative side effect is that it cripples people who use email as a file transfer protocol.
Ok, let's have a look. Last week, I got one spam ("get a free motorola pager") which came through 168 different open relays, bound for 4428 different recipients at bungi.com. There were 791 different connections to deliver all the spam, which meant that each time the spammer used an open relay, they delivered 5 copies of the message to my system (more or less). As was typical, they used 16 different grid.net dialups (all from ipls). Here's the dialup ports they used. Injection point IPs involved (potential source): IP Address Count Status In-addr 63.52.247.163 75 On DUL pool-63.52.247.163.ipls.grid.net 63.52.247.230 16 On DUL pool-63.52.247.230.ipls.grid.net 63.52.247.249 51 On DUL pool-63.52.247.249.ipls.grid.net 63.52.247.255 173 On DUL pool-63.52.247.255.ipls.grid.net 63.52.248.26 1 On DUL pool-63.52.248.26.ipls.grid.net 63.52.248.100 14 On DUL pool-63.52.248.100.ipls.grid.net 63.52.248.153 3 On DUL pool-63.52.248.153.ipls.grid.net 63.52.248.167 156 On DUL pool-63.52.248.167.ipls.grid.net 63.52.248.182 44 On DUL pool-63.52.248.182.ipls.grid.net 63.52.248.186 45 On DUL pool-63.52.248.186.ipls.grid.net 63.52.248.214 123 On DUL pool-63.52.248.214.ipls.grid.net 63.52.248.239 3 On DUL pool-63.52.248.239.ipls.grid.net 63.52.248.251 24 On DUL pool-63.52.248.251.ipls.grid.net 63.52.249.16 3 On DUL pool-63.52.249.16.ipls.grid.net 63.52.249.59 435 On DUL pool-63.52.249.59.ipls.grid.net 63.52.249.67 14 On DUL pool-63.52.249.67.ipls.grid.net The spam was 4K bytes, including header. That's 32K bits. Assuming that the open relays were really, really fast, that means that it would take about 2 hours to send all 4428 spams. If he had used 10 recipients per relay, it would have been 1 hour. 20 recipients would be 30 minutes. Without the rate limiting, assuming a 20 Kbps connection speed, it would have taken about 21 minutes to send the 4428 spams. Either way, rate limiting isn't very effective. Even rate limiting at 1Kbps only makes it 8 hours to send 4428 spams, or just over an hour a day (since these spams were delivered over a week time period). And they were using 4 to 8 dialups at a time. Even at 1Kbps, that's 50,000 to 100,000 spams per day, at 5 recipients per mail. If we go to 20, or 50, the numbers get very large, very quickly, even at 1 Kbps. That's why I think that port 25 blocking is the only way. That, and closing open relays, of course. --