nanog mailing list archives

Re: How do you stop outgoing spam?


From: Scott Francis <darkuncle () darkuncle net>
Date: Tue, 17 Sep 2002 11:07:13 -0700

On Mon, Sep 09, 2002 at 11:31:44PM +0200, brad.knowles () skynet be said:
[snip]

At 10:08 AM -0700 2002/09/09, John M. Brown wrote:

How do you determin what is spam ?

Not trying to be difficult or start another bloody thread.

It would seem to me that in order to create an "off the shelf"
non NOC-updating solution, you would have to beable to define
"what is spam"  and then you could "detect it".

Spam is bulk, by definition. It doesn't work otherwise. Remove the capability
for bulk and you have eliminated the problem (or at least forced it
elsewhere). Rate limiting outbound SMTP is still the best technical solution
I have seen in this thread, and requires little to no upkeep on an ongoing
basis. As soon as you start examining the contents of mail, you have
increased the effort required by an order of magnitude.

      You could transparently proxy port 25 for all outgoing traffic, 
and then run spamassassin on that machine (collection of machines). 
You could do a slightly modified version to look at the traffic on 
port 80.  Not only would you be looking for standard spam keywords, 
but you would also be looking at spam reports from other people 
(e.g., Vipul's Razor), so this should continue to adapt as the spam 
attacks change.

Much more complex to implement and manage; doesn't scale well. The fewer
decisions the anti-spam system has to make, the better it will work. If it
only has to decide whether or not a specific IP/port combination has exceeded
a certain threshold, it will run much more smoothly than if it's examining
the contents of each packet.

      However, I also like the idea of doing a bandwidth budget on a 
per machine basis, with short term bursts allowing for most "normal" 
activity.

*nod*
--
-= Scott Francis || darkuncle (at) darkuncle (dot) net =-
  GPG key CB33CCA7 has been revoked; I am now 5537F527
        illum oportet crescere me autem minui

Attachment: _bin
Description:


Current thread: