[91754] in North American Network Operators' Group
Re: ISP wants to stop outgoing web based spam
daemon@ATHENA.MIT.EDU (Ken Simpson)
Fri Aug 11 12:04:57 2006
Date: Fri, 11 Aug 2006 09:02:26 -0700
From: Ken Simpson <ksimpson@mailchannels.com>
To: Peter Corlett <abuse@cabal.org.uk>
Cc: Barry Shein <bzs@world.std.com>, nanog@merit.edu
Reply-To: Ken Simpson <ksimpson@mailchannels.com>
In-Reply-To: <9E67A682-4919-4A58-96F7-D96882244158@cabal.org.uk>
Errors-To: owner-nanog@merit.edu
> On 10 Aug 2006, at 22:07, Barry Shein wrote:
> [...]
> >The vector for these has been almost purely Microsoft Windows.
>
> I wonder. From the point of view of a MX host (as opposed to a
> customer-facing smarthost), would TCP fingerprinting to identify the
> OS and apply a weighting to the spam score be a viable technique?
We have been doing that in our traffic shaping SMTP transport for a
while now. We have found a 95% correlation between spam sources and
Windows hosts. If you drill down to specific versions of Windows, the
correlation is even higher.
For _blocking_ connections (as opposed to, say, just slowing them
down), you must combine host type with reputation information.
Regards,
Ken
--
MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com
--
Suite 203, 910 Richards St.
Vancouver, BC, V6B 3C1, Canada
Direct: +1-604-729-1741
