Re: How do you stop outgoing spam?
Valdis wrote: #Most spam-fighting efforts on the technical side make the basic assumption #that spam has similar characteristics to a properly designed TCP stack - that #dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately, #discarding a high percentage of the grams will trigger a retransmit multiple #times. Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger "message volume" backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is). Now it is true that in many cases the spammer *will* do a set of probes in an effort to see just how broad a given block is (e.g., is it just a /32 that's being blocked? is it my entire netblock? is it a domain based filter? can I slide in via an open SMTP relay or an abusable proxy server?), but at least here at the U of O, we're NOT seeing spammers waste their time attempting delivery of hundreds or thousands of messages per day via hosts that have been identified and filtered. Regards, Joe
On Tue, 10 Sep 2002 09:12:15 PDT, Joe St Sauver said:
Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger "message volume" backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is).
Yes - but since they need to have N replies to their spam to make it worth the effort, they will just pound on somebody ELSE. I saw one quote from a very unapologetic spammer who was complaining that with all these blocks he had to send a lot more spam and his costs were up 1000% as a result. Let's say a spammer needs 100 replies to turn a profit, and 1% of the things that make it into a mailbox get a reply. If nobody blocks spam, then the spammer only needs to send 10K messages before he profits. If 99% of spam is blocked, he has to send a million. That's why we're seeing statistics like "receives 2 billion pieces of mail a day and 80% is spam". Think of it like a host with multiple A records - if one A goes down, they *do* stop trying that one, but they then fail to use backoff on the OTHER addresses.... ;) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Point of information: Can you really distinguish all this intentionality vs. the spammer just changing which relay to rape? Perhaps because the raped relay was shut down or secured when the owner found out what was going on? Or the spammer just switching relays to rape for no specific reason other than they seem to "go bad" after a few hours so use one for a while (perhaps a batch of addresses to spam) and then switch to the next in the list? On September 10, 2002 at 09:12 JOE@OREGON.UOREGON.EDU (Joe St Sauver) wrote:
Actually, our experience *does* follow the backoff paradigm: if you block a particular source of spam, that rejection *does* seem to trigger "message volume" backoff at the source, with only periodic check probes apparently designed to see if the spam source is really still blocked (and of course it really still is).
Now it is true that in many cases the spammer *will* do a set of probes in an effort to see just how broad a given block is (e.g., is it just a /32 that's being blocked? is it my entire netblock? is it a domain based filter? can I slide in via an open SMTP relay or an abusable proxy server?), but at least here at the U of O, we're NOT seeing spammers waste their time attempting delivery of hundreds or thousands of messages per day via hosts that have been identified and filtered.
Regards,
Joe
-- -Barry Shein Software Tool & Die | bzs@TheWorld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 617-739-0202 | Login: 617-739-WRLD The World | Public Access Internet | Since 1989 *oo*
participants (3)
-
Barry Shein
-
Joe St Sauver
-
Valdis.Kletnieks@vt.edu