ietf-asrg
[Top] [All Lists]

Re: [Asrg] An Anti-Spam Heuristic

2012-12-13 22:39:33
Ooh, quantitative ;-)

For grins, I took one of my smaller spamtraps and applied a 30 second
banner delay.  I wanted to quantify

"And a lot of spamware doesn't flunk."

In the timestamps below, the change happened at 04:52.

Flow per minute:

    156 2012/12/14-04:39
    205 2012/12/14-04:40
    189 2012/12/14-04:41
    188 2012/12/14-04:42
    167 2012/12/14-04:43
    165 2012/12/14-04:44
    181 2012/12/14-04:45
    138 2012/12/14-04:46
    185 2012/12/14-04:47
    173 2012/12/14-04:48
    152 2012/12/14-04:49
    113 2012/12/14-04:50
    156 2012/12/14-04:51
     30 2012/12/14-04:52
     46 2012/12/14-04:53
     46 2012/12/14-04:54
     63 2012/12/14-04:55
     46 2012/12/14-04:56
     55 2012/12/14-04:57
     41 2012/12/14-04:58
     51 2012/12/14-04:59
     41 2012/12/14-05:00
     30 2012/12/14-05:01

A 3:1 spam reduction is nothing to sneeze at.

Not only that, but I can tell you that Lethic (Windows spambot) stopped
dead in its tracks, and it looks like both Cutwail and Darkmailer2 (a
combination of 2 or 3 Linux server infestation types) were affected
severely too.

This server flow is  quite low, and isn't seeing flow from several other
bots (eg: Kelihos and Festi) at the moment, so I don't know what other
ones die.  But it's a start.

I'll have to try this on a few other bots, bigger traps and different
delays.

Oh, as a FYI, relatively few connections failed to wait for the banner.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg