Firewall Wizards mailing list archives
RE: regarding spam...
From: "Jeff Brown" <jvbrown () gte net>
Date: Tue, 2 Apr 2002 12:11:59 -0500
There are very sophisticated email filters available out there. http://www.group-technologies.com .wall is quite strong. The challenge is that so many have opted for shareware fixes for so long (RBL/others) that the value proposition on a solid anti-spam solution is difficult to justify in the current economy. On occasions where spam issues become a content filtering concern ( IP leakage/porn ) the commercial/Enterprise world acknowledges the value of an associated license fee. AV companies need to stay focused on AV, and IDS firms should maintain their focus as well. Some content filtering solutions are able to handle these issues right now with specialized and intuitive algorithms. -----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Kalat, Andrew (ISS Atlanta) Sent: Monday, April 01, 2002 11:04 AM To: 'Marcus J. Ranum'; firewall-wizards () nfr com Subject: RE: [fw-wiz] regarding spam... Note: Comments are my own, and not that of my employer, yadda, yadda... Perhaps my comments are a bit naive here, but I'll risk the public scorn and throw them out anyway. Reading this thread, I wanted to comment from the standpoint of a business user. As spam is now sent from multiple open relays, it seems domain blocking is no longer becoming an effective defense. I seem to get the same spam from 5 different sources in a day anyway. I've also seen open relays get noted and used within 12 hours of being put on the net. With that in mind, I've been kicking around why something similar to an anti-virus product couldn't be used on border MX's to filter spam. Dig if you will the concept: An anti-virus company starts tracking spam. They build profiles of the most common spam quickly. Let's say they use a 90% match to deal with slight changes done by the spammers. Pattern files are updated hourly as new spam is created and noted by their systems. These pattern files are made available for auto-download to the anti-spam products perhaps on an hourly basis. Anyway, these products would then scan the email, similar to anti-virus products, and divert those that match. Perhaps an alert with the first few lines of the spam to a designated admin who could then note if it was a false-positive and forward on the email. Further, the designated admin could add spam examples to a user-based pattern file. Perhaps this is being done, I'm not sure. The value I would see is that this would probably take a big chunk out of spam to a whole company as they often get the same spam over and over again. To Marcus' point later in the thread, this doesn't really hurt the spammers, and this would likely start the same type of arms race you see in the anti-virus efforts, but it does help the business user population somewhat, stopping the 80% or so of the less sophisticated spammers. Over time this might fail, but I'm curious why no one has tried this approach. It would seem the anti-virus companies have the infrastructure in place to do it. Just my 2 cents... --------------------------------------------------------- Andrew J. Kalat, | Direct:(404)236-2713 IT Infrastructure Manager | Main: (404)236-2600 Internet Security Systems, Inc. | E-Mail: akalat () iss net 6303 Barfield Road | <http://www.iss.net/> Atlanta, GA 30328 | PGP key available. -----Original Message----- From: Marcus J. Ranum [mailto:mjr () nfr com] Sent: Friday, March 29, 2002 9:45 AM To: firewall-wizards () nfr com Subject: [fw-wiz] regarding spam... Out of 30 messages in the input queue yesterday 30 were spam. 27 of those were korean or chinese. I'm trying to think of ways to deal with spam E-mails and have been kicking around a few ideas with some friends of mine. Most of the truly effective ways we can imagine to deal with spam rely on spam-knowledge propagation: in other words a human being someplace in the mix says "this is spam" and based on that determination causes the offending message to disappear from all mailboxes. So, a side effect of this approach is a 'web of trust' with respect to noise email. :) Suppose I tell the mail system "I trust Dodge Mumford's judgement regarding what is spam" then my mail system will automatically move into my spam folder all emails that Dodge moves into his spam folder. We might choose to look out for eachother in a reflexive relationship, or we might choose to additionally trust an outside source, etc, etc. It occurs to me that this would be pretty easy to implement, with a bit of small extra kludgery. You could build it right into an imap server by having it apply the extra processing when someone moves a message into a folder called "spam" - in fact this way _one_ person in an organization could keep an up-to-date set of Eudora filters that would be leveraged by everyone in that spam trust ring. Does anyone know if this is already being done? Does anyone see any really compelling reason it wouldn't work? mjr. --- Marcus J. Ranum Chief Technology Officer, NFR Security, Inc. Work: http://www.nfr.com Personal: http://www.ranum.com _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: regarding spam..., (continued)
- RE: regarding spam... Bill Royds (Apr 02)
- Re: regarding spam... Thorkild Stray (Apr 02)
- Re: regarding spam... R. DuFresne (Apr 02)
- Re: regarding spam... R. DuFresne (Apr 02)
- Re: regarding spam... Adam Shostack (Apr 03)
- Re: regarding spam... Ryan Russell (Apr 03)
- Re: regarding spam... Adam Shostack (Apr 03)
- Re: regarding spam... Rick Murphy (Apr 02)
- Re: Re: regarding spam... Andrew Fremantle (Apr 03)
- Re: regarding spam... Mikael Olsson (Apr 03)
- Re: regarding spam... Crispin Cowan (Apr 03)
- RE: regarding spam... Rama Kant (Apr 03)