nanog mailing list archives
Re: How do you stop outgoing spam?
From: Scott Francis <darkuncle () darkuncle net>
Date: Tue, 17 Sep 2002 11:07:13 -0700
On Mon, Sep 09, 2002 at 11:31:44PM +0200, brad.knowles () skynet be said: [snip]
At 10:08 AM -0700 2002/09/09, John M. Brown wrote:How do you determin what is spam ? Not trying to be difficult or start another bloody thread. It would seem to me that in order to create an "off the shelf" non NOC-updating solution, you would have to beable to define "what is spam" and then you could "detect it".
Spam is bulk, by definition. It doesn't work otherwise. Remove the capability for bulk and you have eliminated the problem (or at least forced it elsewhere). Rate limiting outbound SMTP is still the best technical solution I have seen in this thread, and requires little to no upkeep on an ongoing basis. As soon as you start examining the contents of mail, you have increased the effort required by an order of magnitude.
You could transparently proxy port 25 for all outgoing traffic, and then run spamassassin on that machine (collection of machines). You could do a slightly modified version to look at the traffic on port 80. Not only would you be looking for standard spam keywords, but you would also be looking at spam reports from other people (e.g., Vipul's Razor), so this should continue to adapt as the spam attacks change.
Much more complex to implement and manage; doesn't scale well. The fewer decisions the anti-spam system has to make, the better it will work. If it only has to decide whether or not a specific IP/port combination has exceeded a certain threshold, it will run much more smoothly than if it's examining the contents of each packet.
However, I also like the idea of doing a bandwidth budget on a per machine basis, with short term bursts allowing for most "normal" activity.
*nod* -- -= Scott Francis || darkuncle (at) darkuncle (dot) net =- GPG key CB33CCA7 has been revoked; I am now 5537F527 illum oportet crescere me autem minui
Attachment:
_bin
Description:
Current thread:
- Re: How do you stop outgoing spam?, (continued)
- Re: How do you stop outgoing spam? Iljitsch van Beijnum (Sep 09)
- Re: How do you stop outgoing spam? Marshall Eubanks (Sep 10)
- Re: How do you stop outgoing spam? Scott Francis (Sep 17)
- RE: How do you stop outgoing spam? Al Rowland (Sep 10)
- RE: How do you stop outgoing spam? Christopher L. Morrow (Sep 10)
- RE: How do you stop outgoing spam? Dan Hollis (Sep 10)
- Re: How do you stop outgoing spam? Rafi Sadowsky (Sep 09)
- Re: How do you stop outgoing spam? Brad Knowles (Sep 09)
- Re: How do you stop outgoing spam? Brad Knowles (Sep 09)
- Re: How do you stop outgoing spam? Scott Francis (Sep 17)
- Re: How do you stop outgoing spam? Brad Knowles (Sep 17)
- Re: How do you stop outgoing spam? Scott Francis (Sep 18)
- Re: How do you stop outgoing spam? Eliot Lear (Sep 09)
- Re: How do you stop outgoing spam? Rafi Sadowsky (Sep 09)
- Re: How do you stop outgoing spam? Eliot Lear (Sep 09)
- Re: How do you stop outgoing spam? Scott Francis (Sep 17)
- Re: How do you stop outgoing spam? John M. Brown (Sep 09)
- Re: How do you stop outgoing spam? alex (Sep 10)
- Re: How do you stop outgoing spam? Valdis . Kletnieks (Sep 10)