ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: 2.a.1 Analysis of Actual Spam Data - Spam Attack Characteristic

2003-08-26 23:32:08
from [Hector Santos] [Permanent Link] 
I would like to add a new item to the Spam Attack Characteristics section.

How Spammer react to rejections/denials:

This may be related to "How long to floods last", but I believe it needs to
be a separate consideration.

Background:

One characteristic I found with our anti-spam features in our email software
is how spammers react depending on when a rejection or denial is performed.

IP filtering is performed when the connection arrives before the SMTP
session is started.  If the IP is denied (using one of many methods,  RBL or
internal filter list),  the denied/rejection response is delayed until the
spammer reaches the RCPT TO: state of the SMTP client/server conversation.

If the session is disrupted or negative unexpected responses are sent prior
to the RCPT TO: state,  we found that the spammer attack frequency
increases.

It seems when the SPAMMER has "learned" about the email address (good or
bad) at the RCPT TO: state, it is only then that it does not alter or
reschedule the attack.   It may try again at some other time, but it will
not be immediate.

Of course, it is not across the board behavior, but the behavior was most
obvious when we added our anti-spam IP/RBL features to our software.

In addition, we also added filtering at the DATA stage.   This presented a
double-edge sword.

Although, email was filtered for the final recipients, the rejection DATA
response has contributed to the attack frequency.

We need to look keep in mind what these spammers are selling - Email
Addresses to potential advertisers.
I believe the #1 commodity to the spammers is the email address.    They
could care less about the content of the mail or whether there exist
filtering technology at the receiving system or at the end-user.   As a
developer, if I was to write a spamming too,  getting that email information
from the RCPT TO: state is the most important piece of information I want to
found out about.

So how spammer react to denies/rejection is a very important considering any
future designs or methods proposed.

Ultimately the less the spammer  know about an email address, the better.

----

Hector Santos
WINSERVER "Wildcat! Interactive Net Server"
support: http://www.winserver.com
sales: http://www.santronics.com




_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Asrg] Re: 2.a.1 Analysis of Actual Spam Data - Spam Attack Characteristic, Hector Santos <=
Previous by Date:  Re: [Asrg] 2.a.1 Analysis of Actual Spam Data - next steps (reflection), Kurt Magnusson
Next by Date:  Re: [Asrg] [7b BCP] What may be, versus what is., Alan DeKok
Previous by Thread:  Re: [Asrg] 2.a.1 Analysis of Actual Spam Data - next steps (reflection), Kurt Magnusson
Next by Thread:  Re: [Asrg] [7b BCP] What may be, versus what is., Alan DeKok
Indexes:  [Date] [Thread] [Top] [All Lists]