Re: [Asrg] Too Big to Block?

"Chris Lewis" <clewis@nortel.com> Wed, 08 July 2009 18:25 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id DB2683A6868 for <asrg@core3.amsl.com>; Wed, 8 Jul 2009 11:25:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ReR7yQhcPl3Y for <asrg@core3.amsl.com>; Wed, 8 Jul 2009 11:25:18 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 6E6823A6882 for <asrg@irtf.org>; Wed, 8 Jul 2009 11:25:15 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n68IO2S02513 for <asrg@irtf.org>; Wed, 8 Jul 2009 18:24:02 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 8 Jul 2009 14:25:38 -0400
Received: from [47.130.64.150] (47.130.64.150) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Wed, 8 Jul 2009 14:25:37 -0400
Message-ID: <4A54E4A0.30309@nortel.com>
Date: Wed, 8 Jul 2009 14:25:36 -0400
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 Lightning/0.9 Thunderbird/2.0.0.22 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <20090623213728.1825.qmail@simone.iecc.com> <4A41D773.50508@telmon.org> <4A41E506.2010106@mines-paristech.fr> <20090624160052.B5DC62428A@panix5.panix.com> <4A426B9D.7090901@mines-paristech.fr> <4A43618A.6000205@tana.it> <4A4F7DD0.4040404@billmail.scconsult.com> <4A51D35E.70306@tana.it> <4A52C36D.6040207@billmail.scconsult.com> <20090708141747.GA2822@gsp.org> <20090708155704.GN15652@verdi>
In-Reply-To: <20090708155704.GN15652@verdi>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 08 Jul 2009 18:25:38.0538 (UTC) FILETIME=[7E29D4A0:01C9FFF9]
Subject: Re: [Asrg] Too Big to Block?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jul 2009 18:25:19 -0000

John Leslie wrote:

>    More useful is something like, "Hotmail MTA #49 is sending more spam
> than usual right now: more severe graylisting might be called for."

What good does graylisting do to a real MTA?  Unless MTA #49 is sending 
you enough email that forcing it to requeue causes it problems, it won't 
do anything useful.

We've tended to let our automated defenses "fire where they may".  If 
MTA #49 is sending us so much spam that the defenses fire, they fire, 
and we don't whitelist.

If the problem gets bad enough, we block /24s worth.  With MSN and 
Yahoo, that turns out to work particularly well, because at least with 
Nigerian floods and their provisioning methods, specific /24s tend to be 
substantially worse than others.

Then we make a big public & private noise.  And sometimes things get better.