On Thu, 2004-02-12 at 15:50, Daniel Feenberg wrote:
On Thu, 12 Feb 2004, Jose Marcio Martins da Cruz wrote:
Eugene Crosser wrote:
On Wed, 2004-02-11 at 20:02, Jose Marcio Martins da Cruz wrote:
This may indicate that many spam is sent by a distributed system of
workers, and not by open relays.
If this is the case, and if this kind of way continues - the tendance
will be to have more and more IP addresses to be inserted on blacklists.
But if we agree that great majority of spam comes from zombies, why
should we continue to use blacklists.
We use blacklists and we have one DNS server serving rbl requests.
named process in this machines eats almost 900 MBytes of memory. Sure,
memory is cheap, disk is cheap, bandwidth is cheap - but ther's a
limit if blacklists are less efficient than other methods.
Or maybe I'm wrong.
Can you explicate further? I would have thought that zombies were
an ideal target for an RBL. They produce only spam, so there is no
problem of blocking legitimate mail and their owners do not complain
about the listing.
May I try?
1. When you blacklist an open relay, you can verify with almost 100%
accuracy that this is in fact an open relay. Alleged zombie cannot be
verified to be a zombie with that level of certainty.
2. Even initial allegation of an IP address as a zombie may be
problematic. They often send only a few hundred spam messages at a
time. You can expect the same to come from a perfectly legal ISP server
before their antispam facilities are triggered and the offending client
3. Given the rate at which the number of infected machines may grow, the
data in blacklist is doomed to lag behind, and there will be significant
number of not-yet-blocked active zombies.
That's why I think that blacklisting is a poor remedy for zombie
Asrg mailing list