Re: several messages

["Chris Lewis" <clewis@nortel.com>]

der Mouse wrote:
>>> It _does_ mean that someone to whom email is important had better do
>>> due diligence in selecting DNSBLs - just as someone to whom a car is
>>> important had better do due diligence in selecting a mechanic [...]
>> I agree with that.  But easier still is to setup your own spam traps
>> and run your own spamfilter.  Which is what I think most actually do.

> Not easier for me; not easier for the ISP I work for (I'm part of its
> collective postmaster).  I, at home, and we, at work, find DNSBLs by
> far the lower-cost answer, after all the costs are tallied (dollars
> spent, human time, false positives, false negatives, machines, disk
> space, network bandwidth, the list of forms costs can take is long).

In today's climate, you have to have very large spamtraps to do an
effective job in driving your own filters unless you have an atypical
spam load.  If you have users that are being hit by BOTnets, your
spamtrap has to be in the 100s of thousands of emails per day, if not
larger, to be able to derive the right information to tune filters to an
effective level.

We're a large company, and we've been able to, through our legacy
domains and "gracious donations" to get our traps up to about 10-20M per
day.  That alone does a pretty good job.  But even we, despite how big
our traps are and how well they do, get considerable extra effectiveness
by using DNSBLs.  At least one of these DNSBLS, via mutterings in the
woodworks, has spamtraps that are effectively more than 2 orders of
magnitude bigger than ours.  Yikes.

Someone of the size of AOL or Gmail can do the spamtrap game all by
themselves - internally, they usually generate source IP reputation
lists (however distributed) in addition to other techniques to use that
information.  But almost everyone smaller needs much more trap than they
can realistically construct themselves.

Small sites with usually atypical spam loads can often do just fine with
very much smaller data sources.  It's amazing how much different the
spam profile can be at small sites.  But they generally don't work
nearly as well once scaled up to larger environments with more
representative loadings.

As one datapoint to show how uneven spam distribution is: we have 45,000
recipients.  Fully half of them get virtually no spam at all.  If we
segregated those people off on their own mail servers, they wouldn't
need filtering.  Meanwhile, the other half get lots.  One poor sod was
getting 4,000-16,000 spams/day for the better part of a year - no
useable commonality whatsoever in what he was getting nor where it was
coming from.  The only explanation for that, ironic as it may be, is
that he was on lots of IETF mailing lists for a very long time that got
scraped over and over again.  The only solution - just what got past the
filters at 99%+ effectiveness was overwhelming - was for him to change
his email address (actually we all did, the company domain name got
changed.  Not because of this, but it helped anyway, causing a huge
discontinuity in spam volumes.).

[Most of the high rollers in our "spam sweepstakes" are long-term IETF
mailing list members on the same address... Long-term IEEE list
membership is also a big factor.]
_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www.ietf.org/mailman/listinfo/ietf