-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Peter J. Holzer wrote:
On 2007-01-27 19:43:23 -0600, gep2(_at_)terabites(_dot_)com wrote:
Well, 50% of our users are being sent almost no spam.
Your users are very fortunate.
Nope. That's the normal distribution. Many users get almost no spam,
many get a an intermediate amount of spam and a few literally drown in
spam.
Indeed. Such a distribution is consistent with everyone I've talked to
who have made such measurements.
Perhaps they haven't had those E-mail addresses for very long, or
don't do much with them.
Some of them have had them for many years and get almost none. Others
have had them for a matter of months, and drown.
One of the leading causes of getting deluged is being a member of IETF
lists....
But that doesn't help with the guy getting sent 4000/day. Or even
the hundreds getting 50 or more.
I don't see why my approach won't handle such cases with
ease.
That guy has to scan through 4000 messages each day to check if there
wasn't one which he did want. Maybe not every day, but at least every
time he suspects that a mail might have been blocked.
It's physically impossible to find one or two legits out of 4000/day.
Introductory E-mails should NOT automatically presume the desire or
willingness of the recipient to receive HTML-burdened E-mails.
But if all spam were indistinguishable from
"introductory e-mails",
where are you then?
No worse than at present.
Depends on what you define as "better" and "worse". You will get less
spam (about 50% less, I would guess from looking through my spambox),
but you will also get less legitimate mail (I don't know how common HTML
mail is on average - that seems to vary a lot).
It's _very_ high here. Corporate likes their HTML and attachments.
The XBL, for example, is _extremely_ reliable at
detecting compromised
end-user machines. All by itself it will block 70-85%
of all spam.
Fine. But it also blocks LEGITIMATE mail coming from
those machines, right?
There is no legitimate mail coming from those machines. Maybe a message
or two for every million messages being blocked. Probably less.
We go several days between seeing an XBL FP (out of 1.6M blocked per
day). And they're fixed - we whitelist and help the sender get their
systems disinfected so they can stay out of the XBL. Email not lost,
sender's machine is fixed, less spam hits the Internet.
Is that a win-win or what?
Like I keep saying, we get higher FPs out of our content filters.
Even the extremely obvious - HELO'ing as our domain - we see
_legitimate_ (home brew) MTAs doing it.
By it's very nature it doesn't list real MTAs (eg: ISP
smarthosts).
What if the spam is sent through ths "smarthost"? You
might claim that's not being done today, but nothing
prevents spammers from doing that.
It's harder. And we have a blocking solution for that.
You don't have to run ONLY DNSBLs. What's that I keep saying? _Hybrid_
filtering systems.
Then there is an ISP to complain to and the ISP knows which of their
users has a compromised machine and can do somthing about it. If the ISP
doesn't do something about it, he may find that some may refuse to
accept mail from him or apply more stringent filters to it. But that
doesn't have anything to do with the XBL.
You are assuming that IP-based reputation is used in an all-or-nothing
way. It isn't. There is more than one list, and just because an IP
address is or isn't on a specific list doesn't mean that all mails from
this address are rejected or accepted. It is one criterion among many.
He's also assuming that if you're using DNSBLs you're somehow prevented
from using other techniques simultaneously. That is simply not the case.
Subject: Re: [Asrg] Re: bounces, and anti-spam
principles
[how users configure their whitelist rules]
The problem being that out of the 60,000 seats here, perhaps less
than 10 of them are able to competently configure a set of rules
like what you have.
That's a software implementation issue, not an inherent
problem in the approach. I envision a button to click
on
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
I guess that's the main reason why your ideas aren't met with wild
enthusiasm here. You "envision" that this would be simple to build
and to use, but it's not even clear that you have even built a
prototype which you use yourself, much less deployed the system for
"ordinary users", which aren't quite sure what an "HTML mail" is, and
have never heard about an "ActiveX component".
I've built and have used portions of what I propose.
Obviously it will work best if the proposed default rules
are widely used.
As for "deploying it for ordinary users", I think I could
make the same claim regarding all these DNS-based
proposals that y'all are so fixated on.
No, absolutely not. Apart from not being fixated on "DNS-based
proposals" (if anything, I'm fixated on bayesian filtering), I see two
very important differences here:
1) DNSBLs like Spamhaus' SBL+XBL aren't "proposals". They have been
operational for years and their strengths and weaknesses are well-known.
And default recommendations in many packages. Such as SpamAssassin.
2) The user has absolutely nothing to do with them. I can simply enable
them on a system-wide basis and be confident that I will maybe have to
deal with one complaint every few years.
We have a few more than that, but we fix them.
Again, good software implementation doesn't have to depend on users
understanding those details
I doubt that. In real life users get mails with "advanced features" all
the time and if they have to decide whether they can safely enable them
they need to understand them. I predict that the average user will
either have configured that system to accept anything from anybody
within a week or give up on email entirely.
If we tried that here, the average user would be screaming at me why
their filters weren't working. Or working too well.
that simply says "allow E-mails like this from the same sender in
the future" and where the software will open the keyway JUST enough
to allow that type of message if seen again from that sender.
So Uncle Bob will see that a mail from Aunt Matilda was blocked
because it contained an "executable attachment". Since he wants to
get mail from Aunt Matilda (and Aunt Matilda is a nice lady, she
wouldn't send him anything bad, would she?) he clicks on "allow
E-mails like this from the same sender in the future". Oops!
Presumably he could tell from the rest of the content in
the mail message that it really didn't look like E-mail
from Aunt Matilda.
To do that he has to read it. What good is an anti-spam scheme which
requires me to read all my spam?
What good is an anti-spam scheme that, after you've seen the one good
html email from Aunt Matilda, blindly delivered you the virus her
machine sends the next day? Or the spam forged in her name?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iQCVAwUBRb1+fp3FmCyJjHfhAQKKwgQA8HJ9hPhqXQ/thiiwto1vTAwtavArV/0v
Z9j0aT3bQxwIOOqJ6wuA8juBlQ6aPstkP9EIU0xY44IEmgGaM8455DAl+o0cczLy
P7WZhxV22lgyWT9T1S1CkoZ1Os/iaTMHqmqEAOaewVGYo7ZvIYyni4NLjm1rWmKB
VM2cx46rZ/8=
=AsP/
-----END PGP SIGNATURE-----
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg