IETF Logo Mail Archive

Re: [Asrg] An Anti-Spam Heuristic

Alessandro Vesely <vesely@tana.it> Sun, 16 December 2012 11:50 UTC

Return-Path: <vesely@tana.it>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B151721F84F0 for <asrg@ietfa.amsl.com>; Sun, 16 Dec 2012 03:50:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.719
X-Spam-Level:
X-Spam-Status: No, score=-4.719 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, HELO_EQ_IT=0.635, HOST_EQ_IT=1.245, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugUid0l3WLqK for <asrg@ietfa.amsl.com>; Sun, 16 Dec 2012 03:50:55 -0800 (PST)
Received: from wmail.tana.it (mail.tana.it [62.94.243.226]) by ietfa.amsl.com (Postfix) with ESMTP id AF6AA21F84DC for <asrg@irtf.org>; Sun, 16 Dec 2012 03:50:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tana.it; s=beta; t=1355658653; bh=cL52iwitghMaZfrvEGMLkBLUiS2q/99tQBFsAHaGh0g=; l=1127; h=Date:From:To:References:In-Reply-To; b=RIp7/y7tTKo38WhWbkZhQqgrxsZFmhhJufe0GTCoaMwFicPGE/CTclM/wsLDPsHzZ SBIn05wlmePxnvzIHqniwuy7/0ZZFCukLTaKkO41+ZcSQ3x4OCU2BBOBWjPjQl/0IU dXRumpgx5Al11BXCxmQjbbRzAGkHvWpwooGwoPfw=
Received: from [172.25.197.158] (pcale.tana [172.25.197.158]) (AUTH: CRAM-MD5 uXDGrn@SYT0/k, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by wmail.tana.it with ESMTPSA; Sun, 16 Dec 2012 12:50:53 +0100 id 00000000005DC02B.0000000050CDB59D.00007EC9
Message-ID: <50CDB59D.1040403@tana.it>
Date: Sun, 16 Dec 2012 12:50:53 +0100
From: Alessandro Vesely <vesely@tana.it>
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: asrg@irtf.org
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com> <E26A6D4F-FC05-45B9-80F0-9E6F8A6A9713@blighty.com> <20682.31889.485606.165715@world.std.com> <50CAAD79.8040008@mustelids.ca>
In-Reply-To: <50CAAD79.8040008@mustelids.ca>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] An Anti-Spam Heuristic
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Dec 2012 11:50:56 -0000

On Fri 14/Dec/2012 05:39:21 +0100 Chris Lewis wrote:
> Ooh, quantitative ;-)
> 
> For grins, I took one of my smaller spamtraps and applied a 30 second
> banner delay.  I wanted to quantify
> 
> "And a lot of spamware doesn't flunk."
> 
> In the timestamps below, the change happened at 04:52.
> 
> Flow per minute:
> [snip]
>     156 2012/12/14-04:51
>      30 2012/12/14-04:52
> 
> A 3:1 spam reduction is nothing to sneeze at.

You need at least 15 daemons accepting 2 msgs/minute each to get 30
messages, while at, say, 60 msgs/minute 3 daemons can take 180.

> Oh, as a FYI, relatively few connections failed to wait for the banner.

Can you confirm the max-daemons limit wasn't hit?  A deadly slow TCP
backlog could cause clients to timeout.  In that case, banner delay
would work similar to random connection dropping as done, e.g. by
stockade (see http://en.wikipedia.org/wiki/Stockade_%28software%29.)

On a real MX, rather than being fixed at 30 seconds, the banner delay
should be made proportional to the spammitude reckoned for the sending
IP.  Sort of tarpitting, perhaps not the FUSSP itself, but...

v2.23.0 | Report a Bug | By Email