ietf-mxcomp
[Top] [All Lists]

Re: MTAmark (was: Reality check please)

2004-06-11 23:59:52


----- Original Message ----- 
From: "Markus Stumpf" <maex-lists-email-ietf-mxcomp(_at_)Space(_dot_)Net>
To: "IETF MARID WG" <ietf-mxcomp(_at_)imc(_dot_)org>
Sent: Friday, June 11, 2004 7:04 PM
Subject: Re: MTAmark (was: Reality check please)


Out of 500,000 messages with about 90% marked spam and viruses (this is
450,000 messages)

The rate is on par with industry average.

AOL supporting SPF didn't change anything, besides some media hype.

It did for us.

Give me one site that really utilizes the client side of SPF?

Not sure what this question ask.

Serious business companies CANNOT do it, as it will raise their false
positive
rate and nobody will do that.

Whats the difference between a serious business and a just plain anyone else
running a legitimate mail server servicing end-users, internal or otherwise?

So the main question is: Why do spammers use hotmail, yahoo, AOL?
Simple answer: you cannot block those domain totally,

For hotmail,  MCEP works.

For yahoo, you have a problem as they go agains the grain of standard
operations contributing to the spamming problem.

For AOL, they are the best of the "large ISP" bunch.

Explain more below.

As soon as those "big" domains publish MARID records and the
technique is well established, spammers will immediately switch
and ONLY do what they already do now: abuse "small" domains. And these
are easy to find, as they don't publish MARID records.

Well, the harder (and complex) you make it publish,  you will find a barrier
to implementation.

In my view, as soon as the "big" domains publish MARID records, they will
spammers spoof them even more due to the "CodeRed Principle" that every
modern virus/hacker and now spammer now enjoys, and that is there will
always be a segment of market place that are still not updated with new
anti-spam logic.

So which problem are we trying to solve?

For me, the focus is on solving the "anonymous mail abuse" using SMTP
technical compliancy with total disregard on the intent of the mail sender.

Hotmail publishes a _EP record, so this has help stop some of its spam.

But for our system, we use a CBV as the final analysis because in our view,
ultimately, the complete address must be verifible.   We use white/black
listing, RBL and LMAP methods as initial checks with one goal in mind -
eliminate the obvious and the need for the final CBV.

AOL is the best of the bunch because they support dynamic SMTP Local User
Validation. So the CBV works great in elimination all AOL spam that get pass
the initial checks.

YAHOO is problematic (doesn't help) because it validates ALL users. That is
why you got more spammers using YAHOO.

I forget, but HOTMAIL was also problematic, but not for the same reasons
YAHOO was.

Local User Validation is (should be) a important part of the anti-spam
effort/design.  Not only will it help eliminate the overhead in MARID lookup
requirements but it will also reduce your bounce requirements which is a
major part of the SORBIG-based virus dual-tier distribution logic.

Just consider this:

  Connecting IP
  HELO
  MAIL FROM
  RCPT TO:

If your RCPT TO is not valid, then you need not bother to check for MARID.

Sure, probably deemed an implementation issue, but for me:

    anti-spam is directly proportional and a function of (IP, HELO, MAIL
FROM, RCPT TO)

to ignore RCPT TO, well, you are just adding a major burden to your system
when the odds are very high the mail (about 40% bad RCPT) was going to be
non-deliverable in the first place.

Comment from customer:

"Just wanted to tell you what a great job the WcSAP piece is!

I had our network admin (From my work), help me set it up, and after about
30
minutes of learning/tweaking, it has been working great! Dozens of messages
blocked, and no new virus warnings in the last hour. -He is a die-hard Linux
freak and after he took a crack at studying the communications from multiple
mail servers, log files, and my machine's logs, he was totally impressed how
well it works. Our Linux mailservers use a similar type of verification, but
he mentioned your version was very efficient in how it performed the
verifications. That means alot to me since he hardly ever says anything
positive about anything that runs on Windows.

Great update!

Thanks!
-Chris Weis"

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com








<Prev in Thread] Current Thread [Next in Thread>