North American Network Operators Group|
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical
Re: Anti-Spam Router -- opinions?
this is actually not so much about spam as it is about security models. > > that's why greylisting has been so effective -- to combat it the > > spammers would have to add the one thing they cannot afford: "state." > > see http://www.rhyolite.com/dcc/ for how to get started. > > why is 'state' so hard to afford? they already have a list of email > addresses to spam, and they already have compromised boxes -- those are > the big costs for spammers. another byte of state per email address is > cheap (or if you are clever, a single bit stored in the email address > itself, which doesnt cost you anything). that presumes a definite system wherein a spammer knows who he has sent what to. as if they felt it was nec'y to send only one copy of a spam to each person, or indeed, as if they had any records of what addresses bounce, what addresses (or servers) lead to quicksand, or whatever. it is difficult for the average professional engineer to comprehend, down in their bones, how little attention a spammer can afford to pay to any one server or address. > i see greylisting being effective only as long as it doesnt get widely > deployed. as soon as greylisting starts having any impact on spammers, > they'll start spooling -- and it is very cheap to do so. after all, just > about everything on compromised boxes costs them nothing. and compromised > are the source of 99.9999999% of all spam. i half agree. any technique that pinches a spammer's success rate (which means, the rate at which they hit blind trap addresses monitored by their customers) will be cause for attention. this is information warfare, and there's an effort budget on both sides, asymmetric though it damnably is. however, "they'll start spooling" is simplistic. the compromised middle- boxes don't have state -- nothing gets written to disk. these are not mail relays, but rather, deliberately open proxies. if state were kept it would be (a) evidence to be used against the spammer, and (b) cause for the box-owner to notice the activity and perhaps scrape their malware. the endgame for greylisting is the same as for every moderately successful "antispam" technique. there will be a three-way schism. (1) some spammers won't notice or won't care that their success rate drops, and they'll eventually upgrade their spamware when somebody else improves it. (2) some spammers will explore ways to keep state and do the retries necessary to get past the greylist filters. (3) some spammers will just send everything to everybody every 30 minutes, no matter whether the last response code was 4xx or 5xx. all three will make themselves easier to triangulate upon, and the conviction rate will edge upward slightly. (the things spammers do to avoid brightmail and DCC smell really strong -- there's no mistaking that kind of zwil for honest e-mail, even robotically.) -- Paul Vixie