|
Re: [Asrg] Please critique my anti-spam system
2005-01-10 07:59:08
At 2:06 AM -0500 1/10/05, Michael Kaplan wrote:
>> > Let's do the math. A spammer finds 5% of his spam reaches people.
>> Way high.
>
> Define reach. Hit the disk or eyeball? Sorry if I'm behind here.
> I think MORE reaches people.
Hits the eyeball, since disks don't buy stuff.
We'd have to get good estimate from someplace like AOL.
Also, a lot of place block at the IP level, so the spam never gets in
to the spambox in the first place.
I would like to correct my math. If I may quote from my own website:
"Email service providers will continue their practice of blocking
the bulk of email that is suspected of being spam even before it is
accepted. Bounces are never sent to this vast amount of probable
spam that is rejected at edge."
One member of this list estimated that 90% of spam was eliminated at the
periphery, before content filtering occurs. Spam sent with a valid
sub-address
will still be subjected to this blocking.
I'm getting the impression that you have essentially no practical
experience running any mail system of significant size.
The 'sub-address' model is a whitelisting mechanism. It has been used
this way for many years. Its use that way is one element of the suite
of tools that makes possible the envelope-time rejection of large
quantities of spam. Anything which exposes more sub-addresses to a
larger audience and expands the use and awareness of a standard
sub-address pattern weakens the model and weakens the ability to shun
so much spam before seeing anything but the envelope.
In short: you can't rework a part of what is now providing a 90% skim
rate and think you will not directly change that rate.
Also there is really no limit to the number of bogus email accounts that could
be fed to spammers. I mentioned a 2:1 ratio of bogus account to
real accounts.
If this isn't enough then how about a 10:1 ratio? Conventional
thinking is that
spammers don't care about bogus address - but now they will.
That does not make any sense. It is inconsistent with the history of
spam. Spammers have a solid record not only of not caring about
validity, but of running brute-force and dictionary spam runs. A
standard for tagging that is more widespread than the classical
sendmail pattern and known to be used by specific addresses would be
hit the same way just as domains with obvious address patterns (e.g.
fistname(_dot_)lastname(_at_)domain) get hit now with dictionary attacks
following the patterns. You are suggesting that spammers in the
future will not behave as spammers have in the past and are behaving
in the present. It's not rational. It's not SANE.
I would also reiterate the impossibility that a company can exist in
the developing
world that would decode CAPTCHA for a legitimate company (Paypal,
Amazon, etc.),
then also sell the same decoded list spammers, and expect to keep that
company's business for more than a week.
It doesn't take a week to sell a bogus list to a fool, and harvesters
have been successfully doing that for years. Repeat business is not
necessary, as the continuing stream of new garbage to old bogus
addresses here proves. The fools come in some interesting forms too.
Anyone in the US who has some older domain registrations probably
knows from their mail in the past few weeks that such foolish
companies as American Express buy years-stale lists of names and
addresses that no one should have been selling them for any reason,
even when the data was fresh and valid.
It would become INSTANTLY obvious that
the company was dishonest when every decoded address is then flooded
with spam.
So what?
If this was a problem, most of the ROKSO spammers would long be out
of business. If it were a problem, Network Solutions would not have
been selling their list of domain tech contacts for years.
Also remember that a company such as Amazon is not paying to decode
billions of CAPTCHA
a year, they would likely only need to decode less than 100,000 (and
they are an
enormous internet company). 100,000 addresses wouldn't even
approach the daily needs
of a spammer.
You are displaying your naivete. Amazon has been spamming me for
years. I've never been a customer of theirs and never will be. For
some reason they think that a role account that was used on my domain
registrations through 1997 wants their spam. 95% of what they've sent
gets rejected in SMTP, but every time they switch spam-for-hire
providers they stand some chance of getting a piece through.
Go ahead and tell me how Amazon cares about the validity of addresses
they spam. I know that's a lie.
A lot is being made of the concept that with a decoded address a
spammer can send
you an enormous amount of spam in a single day. The spammer would
much prefer to
send you 1 spam every day than 300 on a single day. I would much
rather receive
an enormous amount of spam once every few months than receive a
little bit each day.
Again, not consistent with reality. You are assuming rational
strategic behavior on the part of spammers as a population, and that
simply is not how they have behaved or do behave and it is useless to
assume that they ever will behave that way. The fact that spamming
seems to correlate well to business failure and legal problems
(Wallace, Rines, AGIS, Jef Slaton, Jason Vale, Worldcom, Enron, Davis
Hawke, ...) is a clue that spammers and the people who do business
with them have a tendency to screw up long-term planning and behave
in ways that manage to violate the law even without spamming being
illegal. It is no accident that today's Big Spammers are almost
entirely people with felony convictions in their past (and in some
cases, probably more to come...)
Here's a data point for you regarding the specific issue of whether
spammers will choose deluge addresses. In the past 5 days I've had a
significant dip in the efficiency of my spam controls, and 39 pieces
of spam have made it to delivery on my most heavily-spammed address
(the one in my .sig...) Those 39 messages have 12 unique bodies. 4 of
the bodies have been sent in 5 copies or more. 2 of those seem from
my logs to have been offered many dozens of times (i.e. offered from
similar senders on a handful of IP addresses) over periods of 1 and 2
days, with the copies that arrived having been early ones hitting
before various spam control methods started catching them.
Frankly I think it is very sad that after a decade of experimentation
in the field and 2 years of the ASRG, the only thing keeping this
list active is a debate over the details of yet another sweepingly
naive and hopelessly unworkable FUSSP.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
| <Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Please critique my anti-spam system, (continued)
- Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
- RE: [Asrg] Please critique my anti-spam system, Hannigan, Martin
- RE: [Asrg] Please critique my anti-spam system, Hannigan, Martin
- RE: [Asrg] Please critique my anti-spam system, Hannigan, Martin
- Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
- Re: [Asrg] Please critique my anti-spam system, Danny Angus
- Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
- Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
- Re: [Asrg] Please critique my anti-spam system, Tim Bedding
- Re: [Asrg] Please critique my anti-spam system, Tim Bedding
- Re: [Asrg] Please critique my anti-spam system, Michael Kaplan
|
|
|