Re: [Asrg] An Anti-Spam Heuristic

Martijn Grooten <martijn.grooten@virusbtn.com> Fri, 14 December 2012 10:26 UTC

Return-Path: <martijn.grooten@virusbtn.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7DB5621F86EE for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 02:26:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J9h19+9-QIOE for <asrg@ietfa.amsl.com>; Fri, 14 Dec 2012 02:26:13 -0800 (PST)
Received: from mx3.sophos.com (mx3.sophos.com [216.47.234.212]) by ietfa.amsl.com (Postfix) with ESMTP id 486A721F85DC for <asrg@irtf.org>; Fri, 14 Dec 2012 02:26:12 -0800 (PST)
Received: from mx3.sophos.com (localhost.localdomain [127.0.0.1]) by localhost (Postfix) with SMTP id ABD9118853F for <asrg@irtf.org>; Fri, 14 Dec 2012 10:26:10 +0000 (GMT)
Received: from ABN-EXCH1A.green.sophos (abn-exch1a.green.sophos [10.100.70.61]) by mx3.sophos.com (Postfix) with ESMTPS id 41670188296 for <asrg@irtf.org>; Fri, 14 Dec 2012 10:26:10 +0000 (GMT)
Received: from abn-exch1b.green.sophos ([fe80::dc96:facf:3d2c:c352]) by ABN-EXCH1A.green.sophos ([fe80::67:3150:dacd:910d%16]) with mapi id 14.02.0247.003; Fri, 14 Dec 2012 10:26:08 +0000
From: Martijn Grooten <martijn.grooten@virusbtn.com>
To: "Anti-Spam Research Group - IRTF (asrg@irtf.org)" <asrg@irtf.org>
Thread-Topic: [Asrg] An Anti-Spam Heuristic
Thread-Index: AQHN2NNKMjkbYNoATEiNbgKMLcuwUJgWw76AgAAWXICAAD0lgIAARIwAgACywzA=
Date: Fri, 14 Dec 2012 10:26:07 +0000
Message-ID: <0D79787962F6AE4B84B2CC41FC957D0B20AEFD3A@abn-exch1b.green.sophos>
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <20121213140359.GA2187@gsp.org> <121213072401.ZM29345@torch.brasslantern.com> <20121213190251.GE37893@verdi> <20682.24540.349183.905192@world.std.com>
In-Reply-To: <20682.24540.349183.905192@world.std.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.100.103.139]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Asrg] An Anti-Spam Heuristic
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 10:26:14 -0000

> But, in a sentence, creating an economy around spam-fighting, an economic
> incentive to fight fraud, would help because money focuses the mind.

I think it's good to keep in mind that we (the anti-spam industry/community) are actually doing rather well at blocking spam. Catch rates are extremely high, false positive rates quite low. There's definitely still room for improvement, particularly among the edges, but if you want to argue for a new way to fight spam, especially one that radically changes the way email works, you will have to explain why it will work even better.

What we're particularly good at, is fighting botnet spam. Global spam levels have decreased in the past four years, largely due to a significant decrease in spam sent via botnets. What is still being sent is relatively easy to block.

Botnet resources, vast as they may be, are ultimately limited and botnets come with a price tag too (literally, on the underground market). And the profit margins on spam, especially botnet spam, are already extremely small. So it may well be that someone will come up with a very clever way of increasing the cost of sending spam via botnets that will make it financially uninteresting for botherders to do so. I seriously wonder how much this would improve things. Of all the things bad guys can do with botnets, sending spam does relatively little harm, and because it involves doing something that home PCs generally aren't supposed to do (namely making outbound connections on TCP port 25), it helps ISPs detect infected customers.

Martijn.


________________________________

Virus Bulletin Ltd, The Pentagon, Abingdon, OX14 3YP, England.
Company Reg No: 2388295. VAT Reg No: GB 532 5598 33.