Re: [Asrg] An Anti-Spam Heuristic

Michael Thomas <mike@mtcc.com> Fri, 14 December 2012 01:27 UTC

Return-Path: <mike@mtcc.com>
X-Original-To: asrg@ietfa.amsl.com
Delivered-To: asrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 976BF21F8C02 for <asrg@ietfa.amsl.com>; Thu, 13 Dec 2012 17:27:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.979
X-Spam-Level:
X-Spam-Status: No, score=-1.979 tagged_above=-999 required=5 tests=[AWL=-0.620, BAYES_00=-2.599, SARE_LWSHORTT=1.24]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KWt0zNH16ZNh for <asrg@ietfa.amsl.com>; Thu, 13 Dec 2012 17:27:04 -0800 (PST)
Received: from mtcc.com (mtcc.com [IPv6:2001:5a8:4:9fe0:224:8cff:feaa:6d9b]) by ietfa.amsl.com (Postfix) with ESMTP id D701421F8C01 for <asrg@irtf.org>; Thu, 13 Dec 2012 17:27:03 -0800 (PST)
Received: from piolinux.mtcc.com (63-171-70-53.dsl.volcano.net [63.171.70.53] (may be forged)) (authenticated bits=0) by mtcc.com (8.14.3/8.14.3) with ESMTP id qBE1QxVB016743 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 13 Dec 2012 17:27:00 -0800
Message-ID: <50CA805E.3010100@mtcc.com>
Date: Thu, 13 Dec 2012 17:26:54 -0800
From: Michael Thomas <mike@mtcc.com>
User-Agent: Thunderbird 2.0.0.14 (X11/20080501)
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <SNT002-W143FB9A867C92FA80D90E04C54E0@phx.gbl> <DA14FA4D-13CB-4C61-90C4-4E690F0EC745@blighty.com> <SNT002-W1393526B62C0940EF697B2C54E0@phx.gbl> <20682.3413.665708.640636@world.std.com> <50CA0E91.2080304@mtcc.com> <20682.23612.451287.246798@world.std.com>
In-Reply-To: <20682.23612.451287.246798@world.std.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=1979; t=1355448421; x=1356312421; c=relaxed/simple; s=thundersaddle.kirkwood; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=mtcc.com; i=mike@mtcc.com; z=From:=20Michael=20Thomas=20<mike@mtcc.com> |Subject:=20Re=3A=20[Asrg]=20An=20Anti-Spam=20Heuristic |Sender:=20 |To:=20Anti-Spam=20Research=20Group=20-=20IRTF=20<asrg@irtf .org> |Content-Type:=20text/plain=3B=20charset=3DISO-8859-1=3B=20 format=3Dflowed |Content-Transfer-Encoding:=207bit |MIME-Version:=201.0; bh=XBjorcbUdnMqv+3O2LDYgf2MeHtmfgdOP00B3fFEg8s=; b=VN5ABD0j2/y3dBmfcehVvv272pTn8NJkgnpdIizPSc3rnBNk0qkj2jhKAm vmHTInAYoHHdJ/Yi/hIyrgbE+nkc/9rsRL4M7ovTheUsUgxH/+0YDDaHwWbV xA2RoHcIBMJNU1wueYEj3N5MXdFjd6G+8xGSaV6qtiN3hKPDtYaxg=;
Authentication-Results: mtcc.com; v=0.1; dkim=pass header.i=mike@mtcc.com ( sig from mtcc.com/thundersaddle.kirkwood verified; ); dkim-asp=pass header.From=mike@mtcc.com
Cc: Barry Shein <bzs@world.std.com>
Subject: Re: [Asrg] An Anti-Spam Heuristic
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/options/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2012 01:27:04 -0000

Barry Shein wrote:
> On December 13, 2012 at 09:21 mike@mtcc.com (Michael Thomas) wrote:
>  > On 12/13/2012 09:16 AM, Barry Shein wrote:
>  > > There's also Jef Poskanzer's greymilter which basically requires one
>  > > re-send from each never before seen mail server not in a white list.
>  > >
>  > > And sendmail (and others') HELO delay (delay sending HELO a short
>  > > period of time) and don't speak until you're spoken to whatever they
>  > > call it (I use it, the sender must wait for the SMTP responses, can't
>  > > just dump an SMTP conversation at you.)
>  > >
>  > > They're basically isomorphic to hashcash type solutions, increase the
>  > > sender's cost, but very transparent and quite clever because of that.
>  > >
>  > Given botnets, anything that tries to shift burden back onto the
>  > sender is not very likely to be effective in the long run. Yes, you
>  > might get some short term relief, but the firehose is just a software
>  > update away.
> 
> Has this been measured (reference)? Or is this just one of those
> "truisms" that kick around here?
> 
> I'm thinking that a spammer has to put out on the order of a billion
> messages (attempts) per day to be interesting.
> 
> If you slowed those down that would be a blow to them, a billion times
> even a little is a lot.
> 
> Sure, we can postulate infinite botted systems I suppose.
> 
> But that's still just a wild guess.
> 
> I'm not arguing for hashcash per se, I think it has other problems,
> but I also wonder if this counter-claim is really true.
> 
> Or, put better, can we quantify it?

If tarpitting and other such things were the FUSSP, then everybody would use them,
and the unicorns would come out of hiding. If spammers haven't adjusted their botnet
software, then it really says that there's no evolutionary pressure for them to do so.
If there is, they will do so. What else would they do? Go out of business? They aren't stupid.

Mike