nanog mailing list archives
Re: ISP wants to stop outgoing web based spam
From: Ken Simpson <ksimpson () mailchannels com>
Date: Fri, 11 Aug 2006 09:15:35 -0700
Alexander Harrowell [11/08/06 17:09 +0100]:
Holding the geek snobbery for a moment, I don't think I've ever worked anywhere where the e-mail wasn't MSExchange...so that would kill 100% of "e-mail containing actual financially meaningful information".
Yes it would if host type was the only factor you used to decide whether to block a connection. It would be silly and unwise to block based on host type alone. However in the absence of any other information about an IP, it's at least a good and safe way to trigger rate limiting or throttling of a connection. Once the sender gets a few good mails through and proves its worthiness, its good reputation will vastly outweight the host type. Legitimate senders don't move around a lot, so their positive reputation has time to build. Spammers on the other hand use very short-lived IPs which do not have a chance to build reputation. The next iteration for spammers will be to move in a big way toward sending via legitimate outbound mail servers. A previous thread was already discussing a variant of this technique, where webmail accounts are automatically plundered from cafes in Nigeria to exploit the good reputation of ISPs. Regards, Ken
On 8/11/06, Ken Simpson <ksimpson () mailchannels com> wrote:On 10 Aug 2006, at 22:07, Barry Shein wrote: [...]The vector for these has been almost purely Microsoft Windows.I wonder. From the point of view of a MX host (as opposed to a customer-facing smarthost), would TCP fingerprinting to identify the OS and apply a weighting to the spam score be a viable technique?We have been doing that in our traffic shaping SMTP transport for a while now. We have found a 95% correlation between spam sources and Windows hosts. If you drill down to specific versions of Windows, the correlation is even higher. For _blocking_ connections (as opposed to, say, just slowing them down), you must combine host type with reputation information. Regards, Ken -- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
-- MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com -- Suite 203, 910 Richards St. Vancouver, BC, V6B 3C1, Canada Direct: +1-604-729-1741
Current thread:
- Re: ISP wants to stop outgoing web based spam, (continued)
- Re: ISP wants to stop outgoing web based spam Sean Donelan (Aug 09)
- Re: ISP wants to stop outgoing web based spam Suresh Ramasubramanian (Aug 09)
- Re: ISP wants to stop outgoing web based spam Sean Donelan (Aug 10)
- Re: ISP wants to stop outgoing web based spam Barry Shein (Aug 10)
- Re: ISP wants to stop outgoing web based spam Peter Corlett (Aug 11)
- Re: ISP wants to stop outgoing web based spam Valdis . Kletnieks (Aug 11)
- fingerprinting and spam ID (was: Re: ISP wants to stop outgoing web based spam) Steven Champeon (Aug 11)
- Re: fingerprinting and spam ID (was: Re: ISP wants to stop outgoing web based spam) Ken Simpson (Aug 11)
- Re: fingerprinting and spam ID Petri Helenius (Aug 12)
- Re: ISP wants to stop outgoing web based spam Ken Simpson (Aug 11)
- Message not available
- Re: ISP wants to stop outgoing web based spam Ken Simpson (Aug 11)
- Re: ISP wants to stop outgoing web based spam Florian Weimer (Aug 10)
- Re: ISP wants to stop outgoing web based spam Suresh Ramasubramanian (Aug 10)
- Re: ISP wants to stop outgoing web based spam Hank Nussbacher (Aug 10)
- Re: ISP wants to stop outgoing web based spam Simon Waters (Aug 11)
- Re: ISP wants to stop outgoing web based spam Peter Corlett (Aug 11)
- Re: ISP wants to stop outgoing web based spam Barry Shein (Aug 09)
- Re: ISP wants to stop outgoing web based spam Allan Poindexter (Aug 09)