David F. Skoll said:
1) Spammers want to send out lots of messages cheaply, and don't
particularly care if any one message gets through. Legitimate mass
mailers want all of their messages to get through.
2) This is just a hunch, but I bet it's true: Spammers probably have a
higher proportion of bad addresses on their lists than mass-mailers. We
can help ensure this by poisoning their lists with web pages of fake
addresses.
The analogy to IDS software is apt here. Condition (1) can be detected
with a purely local process: You tempfail mail from unknown senders the
first time. (Better, tempfail based on sender-recipient pairs). I already
do this, and it reduces spam by a significant percentage (20-25%) with very
little cost to me.
Condition (2) cannot be detected purely locally, but I have a proposal
that can make it possible to detect (2). Just as we have central clearing
houses for checksums, we can build a system of central clearing houses
for success/failure counts.
Imagine modifying MTA software so that:
- If a RCPT TO: succeeds, it sends a note saying: "Sender
xyz(_at_)domain(_dot_)net
from IP address a.b.c.d sent a successful RCPT TO: command"
- If a RCPT TO: fails, a similar failure note is sent.
- Possibly, we could augment the scheme so that mail to a honeypot address
is noted and counts for more than a simple failure -- we could weight
the various addresses.
The clearing house would maintain the success/failure rate over a
sliding window of 24 hours or so.
This is a very interesting idea. It does not even need to hook into
the MTA, just tail the log files or log database for that MTA, and report
stats from that.
To avoid this, spammers would have to
(a) start using valid, non-forged, non-joe-job From: or Errors-To:
addresses to collect "user unknown" DSNs, so they could clean up their
lists;
(b) spend money on inbound SMTP bandwidth to support (a), hence hitting
their pockets.
A very nice, very simple idea. It's vaguely related to another idea I've
heard, regarding a lookup database of "addresses that have bounced at my
domain recently", but that idea might provide have a side-effect of
providing more incentive for spammers to joe-job (haven't quite thought it
through). This one, however, does not.
issues I can see:
- an expiry of 1 day is too short; I would say 3-5 would be better.
- what about randomised sender addresses? Some spamtools will generate
a new random From: addr for each recipient. I fear the relay IP
address is the only trustworthy source id that can be used...
--j.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg