Anti-Spam Router -- opinions?

• Previous message (by thread): Anti-Spam Router -- opinions?
• Next message (by thread): Anti-Spam Router -- opinions?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

this is actually not so much about spam as it is about security models.

> > that's why greylisting has been so effective -- to combat it the
> > spammers would have to add the one thing they cannot afford: "state."
> > see http://www.rhyolite.com/dcc/ for how to get started.
> 
> why is 'state' so hard to afford? they already have a list of email 
> addresses to spam, and they already have compromised boxes -- those are 
> the big costs for spammers. another byte of state per email address is 
> cheap (or if you are clever, a single bit stored in the email address 
> itself, which doesnt cost you anything).

that presumes a definite system wherein a spammer knows who he has sent
what to.  as if they felt it was nec'y to send only one copy of a spam
to each person, or indeed, as if they had any records of what addresses
bounce, what addresses (or servers) lead to quicksand, or whatever.  it
is difficult for the average professional engineer to comprehend, down
in their bones, how little attention a spammer can afford to pay to any
one server or address.

> i see greylisting being effective only as long as it doesnt get widely 
> deployed. as soon as greylisting starts having any impact on spammers, 
> they'll start spooling -- and it is very cheap to do so. after all, just 
> about everything on compromised boxes costs them nothing. and compromised
> are the source of 99.9999999% of all spam.

i half agree.  any technique that pinches a spammer's success rate (which
means, the rate at which they hit blind trap addresses monitored by their
customers) will be cause for attention.  this is information warfare, and
there's an effort budget on both sides, asymmetric though it damnably is.
however, "they'll start spooling" is simplistic.  the compromised middle-
boxes don't have state -- nothing gets written to disk.  these are not
mail relays, but rather, deliberately open proxies.  if state were kept
it would be (a) evidence to be used against the spammer, and (b) cause for
the box-owner to notice the activity and perhaps scrape their malware.

the endgame for greylisting is the same as for every moderately successful
"antispam" technique.  there will be a three-way schism.  (1) some spammers
won't notice or won't care that their success rate drops, and they'll
eventually upgrade their spamware when somebody else improves it.  (2) some
spammers will explore ways to keep state and do the retries necessary to
get past the greylist filters.  (3) some spammers will just send everything
to everybody every 30 minutes, no matter whether the last response code was
4xx or 5xx.  all three will make themselves easier to triangulate upon, and
the conviction rate will edge upward slightly.

(the things spammers do to avoid brightmail and DCC smell really strong --
there's no mistaking that kind of zwil for honest e-mail, even robotically.)
-- 
Paul Vixie

• Previous message (by thread): Anti-Spam Router -- opinions?
• Next message (by thread): Anti-Spam Router -- opinions?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]