On Fri, 30 Apr 2004, John Levine wrote:
f. Sender pretends to be 300 other people and sends you buckets of spam.
Bad guys won't play by your rules.
That's not an assumption in the example. Sender can't pretend to be a
different Src IP.
The spam senders I know, withe their farms of zombies, don't have to
pretend to be different source IPs, because each zombie has a separate
IP all of its own.
That's not a problem. Each IP is a new Source, since it has no
reputation, it will be allocated 1msg/h (or whatever your initial
setting is). That means that you're down to 300 spam/h received in your
entire domain.
Now, if you like, add greylisting for unknown senders, so that those 300
msgs won't be accepted on the first try. Then, add a distributed
blacklist which you check your mailqueue against before delivery to
users' inboxes. Application of the blacklist can be part of whatever
other content spam filters the user has.
Now, each zombie can be used roughly once, before it gets into the
blacklist (they probably expire at some point). Spam sent from a
blacklisted zombie won't affect anyone who checks the list.
If you want some feedback to the zombie'd user, add a blacklist check to
your webpage - replace normal content with "This web page can not be
viewed by virus-infected client machines." - and maybe people would have
cause to clean up their PCs.
--
David Maxwell, david(_at_)vex(_dot_)net|david(_at_)maxwell(_dot_)net --> Unless
you have a solution
when you tell them things like that, most people collapse into a gibbering,
unthinking mass. This is the same reason why you probably don't tell your
boss about everything you read on BugTraq! - Signal 11
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg