On Dec 3, 2008, at 7:29 PM, Barry Shein wrote:
On December 3, 2008 at 13:39 steve(_at_)blighty(_dot_)com (Steve Atkins) wrote:
If, for example, you could identify and reject all unwanted mail the
botnets (for email spam anyhow) would cease to exist on their own,
there'd be no economic reason for them to continue operating.
OTOH, it is true that the only reason spammers can operate as they
do
is via botnets. Period.
That's an interesting perspective. One that's wrong, though. An awful
lot of quite profitable spam never goes anywhere near anything
remotely
resembling a botnet.
Ok, that's an interesting assertion.
Are they achieving IP mobility in some other way? If not, why don't we
just block them?
The only other major route I'm aware of are hijacked routes but thus
far I don't think they're that big an actual source of spam, correct
me if I'm wrong.
You make three references to "some other way" in the note (I didn't
quote all of it) but never quite spell it out. Here's your
chance. Educate us!
Oh, there are quite a few. One common factor of one category
is spam being sent from originating IP addresses which also emit
a lot of email that doesn't cause complaints.
One example of that is spam sent through ESPs. Another is spam
being sent through ISP smarthosts (sometimes from compromised
machines within the ISP, but sometimes not). Another is spammers
who are careful with their traffic and list management in order to
manage complaint rates to a plausible level.
Another category is spam being sent from dedicated machines,
or at least dedicated IP addresses, for weeks to months before
moving to another address range or provider. IP mobility doesn't
need to be on a minute by minute process, it only needs to keep
ahead of filtering and enforcement.
Another category is spammers sending low-ish levels of spam from their
own systems, and never quite breaking the level of volume
where that causes them serious operational problems, but still
being quite a lot of mail in aggregate.
In terms of mail that makes it to the inbox, past fairly simple,
conservative filters, I see much more of these than I do
mail sent from botnets.
If what you care about is the traffic involved then the fact the vast
amount of botnet traffic is easy to detect and filter is completely
irrelevant, as it's still a lot of traffic and processing (at least
until
you can push a big chunk of the work to the edge).
But if you're concerned about what the recipient actually sees in
their mailbox - a much bigger cost from my perspective - then
the lower levels of mail that are much harder for a conservative[1]
spam filter to detect are a big part of the problem, maybe more so than
typical botnet spam.
Given that's the stuff that tends to actually get delivered and be
seen by humans, it's going to be much more profitable per email,
as it's vastly more likely to be actually seen. Sufficiently more so
that
it's probably a better business model for many products than the
naive high-volume spam that botnets tend to be used for. And, because
it's seen by humans, it's also a much higher cost to the recipient.
Cheers,
Steve
[1] One that's suitable for typical end-user use, and doesn't cause
a noticeable false positive rate on typical consumer email.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
https://www.irtf.org/mailman/listinfo/asrg