Re: [Asrg] Too Big to Block?

Ian Eiloart <iane@sussex.ac.uk> Thu, 09 July 2009 09:29 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BD5273A680F for <asrg@core3.amsl.com>; Thu, 9 Jul 2009 02:29:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.452
X-Spam-Level:
X-Spam-Status: No, score=-2.452 tagged_above=-999 required=5 tests=[AWL=0.147, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5oN4h+VchiWj for <asrg@core3.amsl.com>; Thu, 9 Jul 2009 02:29:49 -0700 (PDT)
Received: from karpinski.uscs.susx.ac.uk (karpinski.uscs.susx.ac.uk [139.184.14.85]) by core3.amsl.com (Postfix) with ESMTP id CFA103A6C83 for <asrg@irtf.org>; Thu, 9 Jul 2009 02:29:44 -0700 (PDT)
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:52636) by karpinski.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KMID2H-0006VO-MX for asrg@irtf.org; Thu, 09 Jul 2009 10:30:17 +0100
Date: Thu, 09 Jul 2009 10:30:11 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <60AE6CC05FE080B010A5B4A8@lewes.staff.uscs.susx.ac.uk>
In-Reply-To: <4A54E4A0.30309@nortel.com>
References: <20090623213728.1825.qmail@simone.iecc.com> <4A41D773.50508@telmon.org> <4A41E506.2010106@mines-paristech.fr> <20090624160052.B5DC62428A@panix5.panix.com> <4A426B9D.7090901@mines-paristech.fr> <4A43618A.6000205@tana.it> <4A4F7DD0.4040404@billmail.scconsult.com> <4A51D35E.70306@tana.it> <4A52C36D.6040207@billmail.scconsult.com> <20090708141747.GA2822@gsp.org> <20090708155704.GN15652@verdi> <4A54E4A0.30309@nortel.com>
Originator-Info: login-token=Mulberry:01gE/oa+mwVtDBvDzN7HXzxFve5scJxeN19bo=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] Too Big to Block?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2009 09:29:50 -0000

--On 8 July 2009 14:25:36 -0400 Chris Lewis <clewis@nortel.com> wrote:

> John Leslie wrote:
>
>>    More useful is something like, "Hotmail MTA #49 is sending more spam
>> than usual right now: more severe graylisting might be called for."
>
> What good does graylisting do to a real MTA?  Unless MTA #49 is sending
> you enough email that forcing it to requeue causes it problems, it won't
> do anything useful.

It represents a cost to the provider for being sloppy about their account 
management. And, a cost to their users for sticking with an irresponsible 
provider. It's hard to tell your own users, "we don't accept mail from 
Hotmail because some of it's spam", but you might get away with "email from 
Hotmail often takes an hour or two because we need to check that its not 
spam".

And you could, in principle, quarantine a copy of the message during the 
greylist interval (eg, using Exim's "fakedefer" facility). That message 
could be compared with others, to give more accurate content based spam 
scores. You might want to lower your spam threshold if you see several 
copies to distinct recipients, or even from distinct senders.

Or, it could be manually inspected and then rejected next time it is seen. 
I'd like to have some kind of GUI tool that allowed me to see copies of 
greylisted messages in quarantine, so I could flag them up for rejection 
later.

In fact, you could even give such a tool to a user - perhaps putting it 
behind a "this is spam" button!

Finally, if the provider is using SPF or DKIM, and you have a match, then 
you can safely blacklist the sender if you're certain they're spamming. 
That's the beauty of reliable identification mechanisms - it lets me 
blacklist sender addresses in the knowledge that I've got the right address.

> We've tended to let our automated defenses "fire where they may".  If MTA
> #49 is sending us so much spam that the defenses fire, they fire, and we
> don't whitelist.
>
> If the problem gets bad enough, we block /24s worth.  With MSN and Yahoo,
> that turns out to work particularly well, because at least with Nigerian
> floods and their provisioning methods, specific /24s tend to be
> substantially worse than others.
>
> Then we make a big public & private noise.  And sometimes things get
> better.
>
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/