IETF Logo Mail Archive

Re: [Asrg] In case anyone thought Barry was exaggerating

"Chris Lewis" <clewis@nortelnetworks.com> Tue, 01 July 2003 17:48 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA08618 for <asrg-archive@odin.ietf.org>; Tue, 1 Jul 2003 13:48:33 -0400 (EDT)
Received: (from exim@localhost) by www1.ietf.org (8.11.6/8.11.6) id h5RIN2F21521 for asrg-archive@odin.ietf.org; Fri, 27 Jun 2003 14:23:02 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VxsD-0005ab-HL for asrg-web-archive@optimus.ietf.org; Fri, 27 Jun 2003 14:23:01 -0400
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA09282; Fri, 27 Jun 2003 14:22:42 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VxrN-0004lJ-33; Fri, 27 Jun 2003 14:22:09 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19VuLw-0002I1-J4 for asrg@optimus.ietf.org; Fri, 27 Jun 2003 10:37:43 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01612 for <Asrg@ietf.org>; Fri, 27 Jun 2003 10:37:05 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19VuLb-000369-00 for Asrg@ietf.org; Fri, 27 Jun 2003 10:37:07 -0400
Received: from zcars04e.nortelnetworks.com ([47.129.242.56]) by ietf-mx with esmtp (Exim 4.12) id 19VuLQ-00034Q-00 for Asrg@ietf.org; Fri, 27 Jun 2003 10:36:56 -0400
Received: from zcard307.ca.nortel.com (zcard307.ca.nortel.com [47.129.242.67]) by zcars04e.nortelnetworks.com (Switch-2.2.6/Switch-2.2.0) with ESMTP id h5REXdG11495 for <Asrg@ietf.org>; Fri, 27 Jun 2003 10:33:39 -0400 (EDT)
Received: from zcard031.ca.nortel.com ([47.129.242.121]) by zcard307.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NLV6F0Q4; Fri, 27 Jun 2003 10:33:39 -0400
Received: from americasm01.nt.com (clewis-2.ca.nortel.com [47.129.150.136]) by zcard031.ca.nortel.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id NLVG6D6H; Fri, 27 Jun 2003 10:33:38 -0400
Message-ID: <3EFC568C.3080905@americasm01.nt.com>
X-Sybari-Space: 00000000 00000000 00000000
From: Chris Lewis <clewis@nortelnetworks.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02
X-Accept-Language: en-us, en
MIME-Version: 1.0
CC: Asrg@ietf.org
Subject: Re: [Asrg] In case anyone thought Barry was exaggerating
References: <5.2.0.9.2.20030626111203.00b4eb68@std5.imagineis.com> <5.2.0.9.2.20030626172459.00bd9290@std5.imagineis.com> <5.2.0.9.2.20030626235411.00bb9dc8@std5.imagineis.com>
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Fri, 27 Jun 2003 10:37:00 -0400
Content-Transfer-Encoding: 7bit
Content-Transfer-Encoding: 7bit

Yakov Shafranovich wrote:

> I read over the transcripts, unfortunately my current bandwidth is way 
> too small for the videos. Well, Dr. Hancock's stuff is definatly 
> chilling, especially the parts about the new 802.16 wireless standard 
> with over 30 mbps going in the radius of 30 miles. Just think of all 
> zombies and open relays possible to be setup. A lot of the stuff he said 
> seems to support Barry's arguments that viruses, zombies and infected 
> computers are a major source of spam.

A lot of what everyone on that panel said supported that, especially 
Nick and Michael, and my comment (which should be on the transcript).

Machines that open proxy (whether by naive analogx or wormed spamware) 
are responsible for at _least_ 70% of all of our spam.

Some numbers off the spamtrap (numbers are: total over past 7 days, 
%percentage of entire spamtrap):

BOPM                      6611509  35.70
MONKEYPROXY               10091018  54.48
NTauto                    1519398   8.20
NTliar                    13481631  72.79
OBproxies                 2784368  15.03
OSproxy                    396490   2.14
OSsocks                   8478399  45.78

These are effectiveness rates on our spamtrap against various open proxy 
blacklists.  DNSBL users will recognize several of these. NT* are ones 
we build ourself. "NTauto" is a combined "open relay and proxy" 
blacklist which doesn't generally overlap with others (it won't perform 
a test if the IP is blacklisted by anybody else).

"NTliar" is a very specialized blacklist detecting attacks from open 
proxies.  And in case you're wondering about its reliability, in the 
three weeks since NTliar was developed, it hasn't had a _single_ false 
positive.  Ever.

No, sorry, I cannot reveal how NTliar works without a NDA.

If you use DNSBLs, or even if you don't, there's no excuse not to use a 
good open proxy blacklist.



_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email