Re: [Asrg] hashcash, was My take on e-postage
2004-04-26 16:28:16
80% of spam detected by this method (it's catching approximately
65-70% of all of our spam) is coming from detections less than 4
days old. 90% < 6 days old. 95% < 12 days old.
Can you tell us the number of hosts in each category? And how long
hosts
remain infected? That would give us an idea of the gross flows into
and
out of infected status.
Here's a table:
Age (days) IP Count/cum% Hit Count/cum%
0 67974/ 5.0 174862/25.4
1 65816/ 9.8 184589/52.1
2 54233/13.8 118338/69.3
3 48207/17.4 50991/76.7
4 38517/20.2 45567/83.3
<snip>
24 32483/85.7 1000/98.6
25 38186/88.5 4719/99.3
26 42249/91.6 1393/99.5
27 41198/94.7 1816/99.7
28 39267/97.6 1487/99.9
29 33023/100.0 396/100.0
30 261/100.0 0/100.0
Totals 1360713/ 100 689529/ 100
We expire after 30 days.
I don't get it. Why is the hit count for some days so much lower than
the host count?
Anyway, assuming your figures are correct, that indicates that 2/3rds
of the hosts are rolling around to the beginning of the list again,
because they're being detected as new immediately after being expired.
That in turn seems to suggest 25k new zombies per day, rather than 70k.
The total zombie pool is probably a more reliable figure, which I'll
round up to 1500k.
Assuming they're maximally used for sending spam for about 4 days on
average, that's a sending pool of about 100k machines. If each has an
average 128Kbit DSL uplink, that's equivalent to about 8000 T1s, each
at 30k spams per second, totalling 240M spams per second. Rather a lot
of bandwidth to draw upon, isn't it?
Now let's assume that hashcash is widely deployed, but that the
spammers have now set up a reasonably efficient P2P network between the
zombies, allowing even the blacklisted ones to generate stamps for the
others. Most zombies won't be screaming top-of-the-line boxes, rather
there'll be a lot of 1-CPU Celerons and the like, so say 4 seconds per
20-bit collision on average.
With 1.5M of them churning away, that's 375k spams a second - a massive
3 orders of magnitude reduction compared to 240M, even if it is still
enough to saturate 12 T1s.
So, OK, this is definitely going to turn off the non-hardcore spammers.
Those that are left will be the ones to send the law after. Theft of
service and computer intrusion on this kind of scale is a crime, no
matter whether the actual spam is.
--------------------------------------------------------------
from: Jonathan "Chromatix" Morton
mail: chromi(_at_)chromatix(_dot_)demon(_dot_)co(_dot_)uk
website: http://www.chromatix.uklinux.net/
tagline: The key to knowledge is not to rely on people to teach you it.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] My take on e-postage, (continued)
- Re: [Asrg] My take on e-postage, Jonathan Morton
- Re: [Asrg] My take on e-postage, der Mouse
- Re: [Asrg] My take on e-postage, Jonathan Morton
- Re: [Asrg] My take on e-postage, Seth Breidbart
- Re: [Asrg] My take on e-postage, der Mouse
- Re: [Asrg] My take on e-postage, Jonathan Morton
- Re: [Asrg] hashcash, was My take on e-postage, John Levine
- Re: [Asrg] hashcash, was My take on e-postage, Chris Lewis
- Re: [Asrg] hashcash, was My take on e-postage, Daniel Feenberg
- Re: [Asrg] hashcash, was My take on e-postage, Chris Lewis
- Re: [Asrg] hashcash, was My take on e-postage,
Jonathan Morton <=
- Re: [Asrg] hashcash, was My take on e-postage, Yakov Shafranovich
- Re: [Asrg] hashcash, was My take on e-postage, David Maxwell
- Re: [Asrg] hashcash, was My take on e-postage, Jonathan Morton
- Re: [Asrg] hashcash, was My take on e-postage, Seth Breidbart
- Re: [Asrg] hashcash, was My take on e-postage, Chris Lewis
- Re: [Asrg] hashcash, was My take on e-postage, Daniel Feenberg
- Re: [Asrg] My take on e-postage, Eric Rescorla
- Re: [Asrg] My take on e-postage, Jonathan Morton
- Re: [Asrg] My take on e-postage, GertJan Hagenaars
Re: [Asrg] My take on e-postage, Barry Shein
|
|
|