At 4:37 PM -0400 5/19/03, Eric Dean wrote:
>
> For example, if 90% of spam is forged, then RMX, C/R, and
> authentication schemes could do a lot against spam (modulo their
> other problems).
It's not a large step to estimate that 90% of spam is forged.
1) However, much of that spam can be filtered using simple sender domain
checks. Many spammers use bogus domains and maybe 5-10% of spam is dropped
accordingly.
2) The next value is to do a HELO hostname check..about 10-20% is dropped as
well. However, there are casualities for very large companies...such as
bellsouth and verizon whereby I have to punch holes in my filters.
3) Then I could be more aggressive and apply a reverse-dns check on the
initiating source IP. Doing so is also effective, however, all DSL and
carrier Dial networks in-addr their IP pools...yet many mail admins don't.
I have aout another 5-10% of my spam come from unresolved IPs..but instantly
the phones light up..cost me money..and I'm out of business. The tough-love
approach is suicidal stupidity.
4) Then OK, so now we go with RBL, to identify the pools..that'll
work..costs non-trivial money..but it works for that flavor of spam..maybe
5%.
Well, actually I collected some of this data as well. But without
corresponding data on non-spam, it's not very useful. Certainly each
of the steps you outline includes an increased number of false
positives.
There were 7376 unique senders.
4298 had some "problem" with the HELO or DNS information.
10 No A record for the HELO domain
702 The hostname for the HELO doesn't resolve
1330 Unqualified domain in the HELO
2030 Sender domain does not match the HELO
76 DNS Failed or timed out
1000 No DNS A data (not sure how this differs from the first)
8 Bad DNS Q Data Format (?)
101 Pipelined
(Pipelining was detected by spotting cases where an error was
returned which should have terminated the transaction, but they kept
sending commands, up to and including the content of the message.)
Obviously those all overlapped a good deal. Your immediate reaction
might be to make sure that the sender domain matches the HELO. After
all, it would nail half the spam right there. But then again, it
would also block most of the mail coming from my domain and many
others. My mail server always uses the primary domain name in the
HELO, no matter which domain it sends for. That's probably true of
most servers.
--
Kee Hinckley
http://www.messagefire.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society
I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg