Anti-Spam Router -- opinions?

Erik Haagsman erik at we-dare.net
Wed Apr 7 12:03:50 UTC 2004


On Wed, 2004-04-07 at 13:18, Michael.Dillon at radianz.com wrote:
> If any of your user connections is the origin of more than
> 5 SMTP sessions in a single day, send an email to the 
> registered contact at that site with a little statistical
> summary of the activity. No blocking of sessions, just a
> note saying that we noticed you sent x number of emails
> today. Give the user some action such as a URL that they
> can do if they believe that this is abnormal.

Why not use a more detailed time-interval based approach only blocking
further SMTP connections for say an hour if a user made more than x
connects in an y amount of time and automatically resetting the counters
and block afterwards..? 
On top of the x/hour you could make the mechanism less of a burden by
putting in an option that would allow connections to be "saved" for a
maximum of two or three hours, so when someone comes into his office in
the morning he can safely pour out his start-of-the-day e-mail flow
without being bothered by the rigid 10 e-mails/hour since there wouldn't
have been any connections in the few hours before coming into the office
and he might be able to send 20 or 30 e-mails in the first hour before
the counters are reset. 
 Spammers can only work when making enormous amounts  of connections
each hour, so limiting a normal user to 10 connections per hour with
some extra slack after two or three connectionless hours, with an hour
blocking penalty if the user goes over shouldn't pose a problem to Joe
Average and will definitely keep spammers at bay without the added
administrative overhead of sending user's mail statistics. 

Ofcourse as you mentioned, mailinglists and certain users making extreme
use of e-mail should always have the possibility of registering for more
connections, but when done correctly this could be a more or less hassle
free way of controlling mail connection rates without burdening 99% of
all users.

Regards,



-- 
---
Erik Haagsman
Network Architect
We Dare BV
tel: +31(0)10 7507008
fax:+31(0)10 7507005
http://www.we-dare.nl





More information about the NANOG mailing list