[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: spam blocking engine

> Message-Id: <200212190417_(_dot_)_gBJ4Ha1D005465_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
> To: Marcus Watts <mdw_(_at_)_umich_(_dot_)_edu>
> cc: misc_(_at_)_openbsd_(_dot_)_org
> Subject: Re: spam blocking engine 
> In-reply-to: Your message of "Wed, 18 Dec 2002 23:08:11 EST."
>              <200212190408_(_dot_)_XAA68298_(_at_)_quince_(_dot_)_ifs_(_dot_)_umich_(_dot_)_edu> 
> Date: Wed, 18 Dec 2002 21:17:36 -0700
> From: Theo de Raadt <deraadt_(_at_)_cvs_(_dot_)_openbsd_(_dot_)_org>
> > Rejecting spam with a 550 type of error is a good thing.  I use 552 or
> > 553, not sure that's better or worse.  You don't actually want spam to
> > sit on the other machine's queue (which is what you'd get with most 400
> > class errors) - that just gives that machine the excuse to try to
> > deliver it to you again, and again, tying up network resources.
> No.  You're wrong.  It is PRECISELY what you want to do.  You want to
> make them suffer for it.
> Let them retry until for 4 days, and perhaps run out of disk.  Let
> them retry sending it to me, rather than spending that time sending
> another piece of spam to someone else.  LET them retry!

There are oodles of open relays out there.  Some of them are very well
connected, and most of them are capable of trying multiple places at
once and not letting one slow remote mail host affect the rest.
Contrarywise, to take the case of grex, it has 1 small DSL connection.
Grex would suffer *long* before any open relay suffered.

More generally, there are so many new open relays being created all the
time by clueless people that even if you could make each open relay
machine melt down and belch black smoke, I doubt it would make any real
impact.  (Well, eventually it might -- I suppose people might stop
providing internet mail at all.)

> > Some
> > mailers are pretty stupid about retries, and will retry really quickly
> > if they can.
> Great! Let them!

Again, you must have better internet connectivity than I have.
At one point, I experimented with 451 error returns for full
mailboxes on grex.  I quickly learned that this was a really
bad idea.

> > If you aren't going to accept it, you *want* to return a
> > permament failure which will leave the other machine with no legitimate
> > choice but to try to return it to the sender.
> Wow.  OK, I'm going to stop talking now.  Apparently you've not looked
> very much at spam.  None goes back to the sender.

Actually, I've looked a *lot* at spam.  A *LOT*.  I've been running
various anti-spam filters for 5 years now.  I have a library of 400 of
the things, against which I run regression tests.  I now also have over
30 megs of spam I haven't had time to research yet, because I've been
busy doing other things.

I agree, most spam bounces never reach the spammer.  But I also know
spammers do send out "test" messages.  And I watch as each new spam
filter I put on grex drops in efficiency as time goes on.  Some of that
is no doubt random evolution of spammer software, but I'm pretty sure
that at least some spammers do pay occasional attention to bounces,
that they use this to refine both their software and their lists which
they then exchange, and that this has made a difference to the
amount of spam grex gets.

> > Usually that means it
> > piles up in some postmaster box, but occasionally that means the
> > spammer actually gets to find out, and refine their list, hopefuly to
> > exclude yours.
> Are you joking?
> Marcus, you don't understand what the goal is.  The goal is to make
> open relays suffer.

I will be very interested to know how successful you are.  You will
definitely want to bounce with a 4xx class error message.  You may want
to find a way to advertise addresses as spam bait too.  I
predict that if you succeed in making any difference, that you will
need a large amount of network bandwidth to do this.

					-Marcus Watts

Visit your host, monkey.org