At 7:44 AM -0500 4/6/03, Brad Spencer wrote:
At 02:22 PM 4/4/2003 -0500, you wrote:
Given that blacklisters range from those who block the IP, to those
who block an entire range of IPs. And given that you are depending
on blacklisters testing for delivery and not just existance. And
given that the detection process has to be manual, and has to
distinguish between blacklister tests and spammer tests. I don't
think you are going to find a lot of people willing to set up
honeypots of this type.
The psychology you describe is interesting, may even be pertinent,
but I ask that such considerations be
It's a pain to do, and it can get my mail server shut down if I make
a mistake. That's not a very complex piece of psychology.
Show me a risk-free, automatic process to do it, and then you'll have
some takers. Please do not assume that everyone fighting spam is
sitting around with spare IP addresses and lots of free time.
removed from the engineering aspects while the value of a method is
being considered. Honeypots, implemented properly, are 100%
effective in stopping spam and 100% effective in avoiding collateral
damage. They may succeed in identifying the IP a spammer is using
(this now more likely happens with
They "stop" spam only if the spammer has so many open proxies that
they don't know which to choose from. Spammers don't send a message
once to each person and then stop. They send things over and over
again. If you don't like psychology, then maybe you could give us
the math. How many fake proxies do you need? I'm sure it's possible
to calculate. Given N real open-proxies, how many fake ones do you
need before the amount of spam being sent drops to a negligible
level? (Sorry, it's been way too many years since my probability
course.) Don't forget. If you start having a noticeable impact on
the amount of spam, the spammers will start taking counter measures
to see if they can tell real proxies from fake ones.
open proxy honeypots), which can allow notice to the spammer's ISP
and possible termination of the spammer. In any case a full
honeypot, in operation, may succeed in stopping significant amounts
of spam. This is spam directed at others but it can be several
orders of magnitude greater than the spam that would go to the
operator of that honeypot, were it to have a published email
address. Tremendously successful honeypots have been implemented
using laughable equipment: 1 100 MHz 486 DX4, a 120 MHz
I really don't care about CPUs. I care about how much real time I
have to spend monitoring something. And I care about the fact that I
have a limited supply of IP addresses and I currently run real mail
servers on them. If someone mistakes my honeypot for the real
thing--I'm screwed.
which spammers are associated with other spammers. It might not, of
course - some simply could be using the same purchased tool. Still,
watching relay tests is watching spammers. That's worth doing.
Absolutely. I didn't once say that this was not a valuable test
tool. Please don't confuse the two issues.
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg