Interesting People mailing list archives
Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
From: Dave Farber <dave () farber net>
Date: Sat, 10 Oct 2009 11:12:00 -0400
Begin forwarded message:
From: Rich Kulawiec <rsk () gsp org> Date: October 10, 2009 10:37:58 EDT To: David Farber <dave () farber net> Cc: "David P. Reed" <dpreed () reed com>Subject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein)
On Sat, Oct 10, 2009 at 09:52:15AM -0400, David Reed wrote:If I send a lot of email, why does that make me a "bot"? Maybe I justsend a lot of email.That's definitely not a good metric. Here's a much better one, far moreaccurate and much less invasive. (Presuming for a moment that port 25 outbound isn't blocked.) Count the number of outbound connections to port 25 per unit time and the number of destinations. Real traffic from real human beings will show very low numbers of bothof those: we don't send that much mail, and even if we're relaying outbound traffic through remote SMTP servers on port 25 (which we shouldn't be) we don't use many of them because we're not authorized to use many of them.On the other hand, spam-spewing bots, in an effort to maximize delivery attempts/deliveries, will initiate huge numbers of conections to diversedestinations. I've been looking at these numbers on different networks over the past several years, and the differences are sharp enough -- 10e3 to 10e6 --that they're immediately recognizable even with leaky observation methods.Bot-initiated spam runs make themselves visible in just a few minutes, sometimes less. And while certainly bot-initiated spam runs are by nomeans the only form of abuse that we should be concerned about, identifying these systems has considerable value: it harvests the low-hanging fruit, thus stopping them from doing immediate harm (sending spam) and from doingfuture harm (whatever they may be instructed to do next).There are spammer countermeasures to this, of course: one is to rate- limitthe spam runs. But judicious tuning of detection thresholds based on local knowledge of usage patterns can make this difficult for them. Moreover, if they *are* rate-limiting sufficiently to evade detection, there is at least one very positive outcome of this: less spam. Applied globally, this would severly curtail overall spam levels -- certainly not fixing the problem, by any means, but at least providing some symptomatic relief. ---Rsk
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 10)
- <Possible follow-ups>
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Dave Farber (Oct 10)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 11)
- Re: Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) David Farber (Oct 12)