[In the message entitled "Re: Stealth Blocking" on May 24, 10:23, "Eric A. Hall" writes:]
Dave Rand wrote:
I'm not sure how effective rate limiting will be. Many spammers send one copy of the spam to an open relay, but use many (2 to 50) recipients.
Rate-shapers would also work on the relays. The idea is that if ISPs would implement a default rate-limit (let's say 4kb/s) that it wouldn't interfere with normal use. It would interfere with spam distribution because it would slow down the big runs dramatically.
The negative side effect is that it cripples people who use email as a file transfer protocol.
Ok, let's have a look. Last week, I got one spam ("get a free motorola pager") which came through 168 different open relays, bound for 4428 different recipients at bungi.com. There were 791 different connections to deliver all the spam, which meant that each time the spammer used an open relay, they delivered 5 copies of the message to my system (more or less). As was typical, they used 16 different grid.net dialups (all from ipls). Here's the dialup ports they used. Injection point IPs involved (potential source): IP Address Count Status In-addr 63.52.247.163 75 On DUL pool-63.52.247.163.ipls.grid.net 63.52.247.230 16 On DUL pool-63.52.247.230.ipls.grid.net 63.52.247.249 51 On DUL pool-63.52.247.249.ipls.grid.net 63.52.247.255 173 On DUL pool-63.52.247.255.ipls.grid.net 63.52.248.26 1 On DUL pool-63.52.248.26.ipls.grid.net 63.52.248.100 14 On DUL pool-63.52.248.100.ipls.grid.net 63.52.248.153 3 On DUL pool-63.52.248.153.ipls.grid.net 63.52.248.167 156 On DUL pool-63.52.248.167.ipls.grid.net 63.52.248.182 44 On DUL pool-63.52.248.182.ipls.grid.net 63.52.248.186 45 On DUL pool-63.52.248.186.ipls.grid.net 63.52.248.214 123 On DUL pool-63.52.248.214.ipls.grid.net 63.52.248.239 3 On DUL pool-63.52.248.239.ipls.grid.net 63.52.248.251 24 On DUL pool-63.52.248.251.ipls.grid.net 63.52.249.16 3 On DUL pool-63.52.249.16.ipls.grid.net 63.52.249.59 435 On DUL pool-63.52.249.59.ipls.grid.net 63.52.249.67 14 On DUL pool-63.52.249.67.ipls.grid.net The spam was 4K bytes, including header. That's 32K bits. Assuming that the open relays were really, really fast, that means that it would take about 2 hours to send all 4428 spams. If he had used 10 recipients per relay, it would have been 1 hour. 20 recipients would be 30 minutes. Without the rate limiting, assuming a 20 Kbps connection speed, it would have taken about 21 minutes to send the 4428 spams. Either way, rate limiting isn't very effective. Even rate limiting at 1Kbps only makes it 8 hours to send 4428 spams, or just over an hour a day (since these spams were delivered over a week time period). And they were using 4 to 8 dialups at a time. Even at 1Kbps, that's 50,000 to 100,000 spams per day, at 5 recipients per mail. If we go to 20, or 50, the numbers get very large, very quickly, even at 1 Kbps. That's why I think that port 25 blocking is the only way. That, and closing open relays, of course. --
Last week, I got one spam ("get a free motorola pager") which came through 168 different open relays, bound for 4428 different recipients
I just peeked in my trash folder, and 6 out of the last 10 spams that I received were sent directly from dial-up spam blowers. Certainly we can agree that there are many paths spammers will take. If rate-limiting eliminates/curbs the throwaway dial-up abusers, then surely it is an effective tool in the fight. I'm not calling a cure-all.
That's why I think that port 25 blocking is the only way. That, and closing open relays, of course.
I would say that default blocking of port 25 is a good position to take, but you can't deny that has its own problems. For one thing, the exceptions become the rule. I've noticed a trend in spam from small businesses, cable users, etc., many of whom are behind non-throwaway lines. Going to a model where "legitimate" users are unfiltered doesn't stop all spam, it only delays it at best. In this regard, rate-limiting and port-blocks are just tools in the belt, neither of them is perfect. -- Eric A. Hall http://www.ehsco.com/ Internet Core Protocols http://www.oreilly.com/catalog/coreprot/
On Thu, 24 May 2001, Dave Rand wrote:
That's why I think that port 25 blocking is the only way. That, and closing open relays, of course.
No, that is NOT the only way. We presume that the spammer had 8 dial-up accounts. Who is this professional spammer, and how come he/she/it can still find a provider? That is the question. Perhaps also who is the merchant that ordered the promotion? The identity of such individual or company belongs on a black list. Yet the spammer is able to subscribe again tomorrow, next week, next year... and nothing happens to them. That is the point where control should be exercised. --Mitch NetSide
On 05/24/01, Mitch Halmu <mitch@netside.net> wrote:
Who is this professional spammer, and how come he/she/it can still find a provider? That is the question. Perhaps also who is the merchant that ordered the promotion?
The identity of such individual or company belongs on a black list. Yet the spammer is able to subscribe again tomorrow, next week, next year... and nothing happens to them. That is the point where control should be exercised.
You're certainly not the first person to suggest this; I've heard it many times over the past years, from people way kookier and/or way more clueful than you'll ever be. But, nobody's actually done it yet. What's stopping you? -- J.D. Falk SILENCE IS FOO! <jdfalk@cybernothing.org>
participants (4)
-
dlr@bungi.com -
Eric A. Hall -
J.D. Falk -
Mitch Halmu