On Mon, Sep 5, 2011 at 1:08 PM, Martijn Grooten
<martijn(_dot_)grooten(_at_)virusbtn(_dot_)com> wrote:
- few users would be able to reliably and accurately determine _who_ was
infected, and there'd be far more false positives than true positives.
And even blocking only the true positive addresses, i.e. only the ones that
have really sent spam, is likely to cause a lot of false positive emails.
I do agree that spam sent from friends' compromised accounts is a serious
problem (and not just for email: also on Facebook, Twitter etc.). Not because
of their quantity but because they are less likely to be blocked by spam
filters and more likely to be believed to be genuine.
However, effectively blocking someone from sending email sounds like a cure
worse than the disease.
I actually tested this back in 1999/2000. I created an experimental
filter called FAD - From Address Deterrent, and I tried to convince
Vixie to incorporate it into MAPS. Chris and Martijn are spot on --
even back then, the vast majority of spam had forged from addresses,
and you ended up blacklisting a harmless, unrelated party. Doing the
math on my big spamtrap feeds a few years later, I found that spammers
seemed to change the from address an average of once every third email
message. My math was simplistic but the point was sound, in that
spammers have enough from addresses to rotate their way around kind of
blocking too easily. Look at the amount of spam that comes from
somebody with an address "near" yours -- they're often taking spam
list entry #701 (the last sucker they spammed) and using that as the
from address when spamming list entry #702 (you).
From address blocking, or even from domain blocking, is only going to
catch a bit of mainsleaze and a lot of ESPs. Whether or not you want
to block ESPs is a whole other question.
Cheers,
Al Iverson
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg