ietf-asrg
[Top] [All Lists]

Re: [Asrg] Spam detection system proposal

2003-03-05 09:35:01
David F. Skoll wrote:
On Wed, 5 Mar 2003, Chris Lewis wrote:

The question is associating the messages to get your counts.

A spammer merely needs to have a big set of open proxies/relays and
seriously randomize froms, and you can no longer generate counts of
anything because you can't associate report "a" with report "b".

It is quite expensive to gather a large set of open relays.  If you're
sending out 500K messages, and you want to limit it to 1,000
messages/IP, you need to find 500 open relays.

Which isn't hard. If you refuse to get your fingers dirty, you just have to download one of the open relay/proxy blacklists... But if you don't mind getting your fingers dirty, just point a scanner at Brazil. Thousands within a few hours.

Also, a lot of spammers are pretty unsophisticated and send from DSL
or cable-modem lines.  This scheme would get them pretty fast.

You're seeing the open relays and proxies, not the spammers themselves.

Based on IPs and Froms, it'd be no better, and considerably worse
once the spammers notice and evolve.

We need experiments to tell for sure.

We can already see the spammers doing this. My autobitch bot routinely shows me specific spams that have been sent from several hundred or even a thousand different IPs in one day. And this is the viewpoint from just _one_ MTA...

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg