On Fri, Jan 23, 2009 at 01:07:54PM -0800, Steve Atkins wrote:
The majority of the spam I see in my inbox (which is filtered, but not
by anything that takes source address into account) comes, AFAICT,
from Linux boxes or email appliances (primarily linux based).
You know what? I see pretty much the same thing in my mailbox.
But that's after:
- network perimeter filtering
- system firewall filtering
- numerous DNS existence and consistency checks
- numerous SMTP protocol checks
- numerous network allocation blocks
- numerous (okay, huge) domain blocks
- numerous subdomain blocks
- numerous other blocks
- DNSBls
- RHSBLs
- etc.
What finally makes it through doesn't look anything like what's trying
to make it through. It's a fraction (roughly 1-2%) of the presented
SMTP traffic and very much unrepresentative.
I can say much the same thing about HTTP exploit attempts and SSH
brute-force attempts and all the other kinds of real/attempted abuse:
what's observed at the server level doesn't look much like what's
really incoming.
So the best place to measure this isn't your mailbox; it's on the
outer perimeter of your network -- at the packet level.
Or, to refine that slightly, on the outer perimeter of a network that
nobody knows you're associated with, since at least some abusers do seem
to make a point of at least trying to enumerate the ones where their
adversaries are watching.
Which doesn't tell me much, but does suggest that A) people blaming
Windows for all the net's ills may not be basing it on representative
traffic and B) research is likely useful, speculation probably isn't.
I didn't blame Windows for "all the net's ills".
I said that the abuse problem is mostly a Microsoft Windows problem.
And, clearly, "abuse" is only one of the many things wrong with
the Internet.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg