On Tue, Mar 25, 2014 at 11:35:57PM -0000, John Levine wrote:
It has nothing to do with looking down on "subscribers" and everything to do with practicality. When 99,9% of mail sent directly from consumer IP ranges is botnet spam, and I think that's a reasonable estimate, [...]
Data point: it's an extremely reasonable estimate. If anything, though, it's an underestimate: the actual rate has several more 9's in it. And if the sending host (a) has generic rDNS and/or (b) fingerprints as Windows, then it approaches 100% so closely as to not be worth arguing about. There is no point in performing any checks other than these on SMTP connections from such hosts. There is no reason to permit the conversation to continue to the DATA stage and to scrutinize the message contents. These actions are both wasteful and superfluous. The only correct action to take at this point is to issue an SMTP reject and end the conversation. It's a pity that this is true. But a decade-plus after the botnet problem became well-known, I can't name an ISP which has developed and deployed an effective mitigation strategy against them. So far it's been band-aids (blocking port 25) and PR (press conferences and initiatives and task forces etc.). ("botnet takedowns" are meaningless fluff and merely fodder for self-congratulatory press conferences. All those systems in the botnet are still compromised. All those systems are still vulnerable to the same attack vectors that resulted in their initial compromise. And quite likely before the ink is dry on the accompanying press release, other botnet operations will harvest them for use in their own operations. Meet the new boss, same as the old boss.) ---rsk