On Fri, Feb 13, 2009 at 09:21:21AM -0500, John Leslie wrote:
Remember, presentation of a bad token is a much clearer indication
of evil intent: a few dozen should suffice for blocklisting. It's
quite practical to blocklist 100 million IPs, at which point the
problem will start to disappear. Computers blocklisted this way will
pretty much be forced into going through a relay MTA with which they
have a contractual relationship -- which removes the problem from
the "botted-MTA" territory.
Blacklisting those 100 million IPs -- which most sensible folks did
years ago, either by subdomain, regexp, IP, DNSBL or some mechanism --
has not forced them to go through relay MTAs. The only thing that will
force them to through relay MTAs are router/firewall rulesets on the
networks within which they reside.
However, suppose -- against all experience -- that actually happens.
(And that'd be a good thing, so I'm not arguing against; it's just
that if it were going to happen, I think it would have happened within
a few months of the rise of the zombies.)
In that case, every relay MTA you see will present "a few dozen"
bogus tokens very shortly thereafter, because some/most/all of those
100 million IPs will now be sending through them. Do you plan to
blacklist all those relay MTAs?
If so, then you could just do that now and skip the exercise.
If not, then you're going to have to still do it the hard way.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg