Well.... maybe I can shed some light using my own systems as an
example.
Currently I process 2 million internet inbound emails a day.
25% of those are dropped with bad RDNS lookups.
65% of what is left are dropped due to bad TO: addresses.
95% of what is left is dropped due to filtering processes.
Almost 95% of what is left after the 25% dropped after RDNS are from
forged addresses.
The filtering processes are THE #1 major load on my boxes.
Not hard to do the math here.
Regards,
Damon Sauer
Please forgive the trailer.. I am not able to remove it.
-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Greg Connor
Sent: Tuesday, May 25, 2004 2:21 AM
To: Gordon Fecyk; IETF MXCOMP (E-mail)
Subject: Re: Measuring MARID
--Gordon Fecyk <gordonf(_at_)pan-am(_dot_)ca> wrote:
The question of network overhead and impact came up early on. If the
cure to forgery is more network-expensive than the disease of forgery,
no
one's going to implement it. Early numbers suggest a considerable
savings but bad design decisions now could reduce that savings or
eliminate it.
We need to measure the impact, but what to measure? I wanted to get
the
question out early, especially as Meng, Harry and Jim draft a document
to
combine their proposals. What can be measured? Where should it be
measured? And how do we measure it?
These things immediately came to mind:
A very good list.
Some other things sysadmins and managers might be interested in...
Measurements of MARID checking compared to other methods
- costs to filter questionable email, like spamassassin
- costs to keep spam quarantined but not deleted
- cost and success rate of checking RDNS, which some sites do
- cost of checking basic DNS (sender domain exists, MX not 127.0.0.1)
Differences between MARID at the edge versus at a second-stage filter
Anything that saves an additional TCP session from being opened (such as
forwarding the mail to the internal server) compared to the UDP DNS
lookups
needed to avoid making the second TCP connection.
I'm thinking what you're probably thinking... that anti-forgery measures
will eventually result in a net gain, but it will be difficult to prove
empirically. I would suggest to focus on ratios more than raw numbers.
How much of mail is spam, and how much of that is forged? How much
different would the bandwidth be if the forged messages could be blocked
before the DATA command?
(Of course I have no answers, just more questions :)
gregc
--
Greg Connor <gconnor(_at_)nekodojo(_dot_)org>
*****
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential, proprietary, and/or privileged
material. Any review, retransmission, dissemination or other use of, or taking
of any action in reliance upon, this information by persons or entities other
than the intended recipient is prohibited. If you received this in error,
please contact the sender and delete the material from all computers. 113