[91757] in North American Network Operators' Group
Re: ISP wants to stop outgoing web based spam
daemon@ATHENA.MIT.EDU (Ken Simpson)
Fri Aug 11 12:20:49 2006
Date: Fri, 11 Aug 2006 09:15:35 -0700
From: Ken Simpson <ksimpson@mailchannels.com>
To: Alexander Harrowell <a.harrowell@gmail.com>
Cc: Peter Corlett <abuse@cabal.org.uk>,
Barry Shein <bzs@world.std.com>, nanog@merit.edu
Reply-To: Ken Simpson <ksimpson@mailchannels.com>
In-Reply-To: <a2b2d0480608110909o5749ae58kfe9eb716d489f2b@mail.gmail.com>
Errors-To: owner-nanog@merit.edu
Alexander Harrowell [11/08/06 17:09 +0100]:
> Holding the geek snobbery for a moment, I don't think I've ever worked
> anywhere where the e-mail wasn't MSExchange...so that would kill 100% of
> "e-mail containing actual financially meaningful information".
Yes it would if host type was the only factor you used to decide
whether to block a connection. It would be silly and unwise to block
based on host type alone. However in the absence of any other
information about an IP, it's at least a good and safe way to trigger
rate limiting or throttling of a connection. Once the sender gets a
few good mails through and proves its worthiness, its good reputation
will vastly outweight the host type.
Legitimate senders don't move around a lot, so their positive
reputation has time to build. Spammers on the other hand use very
short-lived IPs which do not have a chance to build reputation.
The next iteration for spammers will be to move in a big way toward
sending via legitimate outbound mail servers. A previous thread was
already discussing a variant of this technique, where webmail accounts
are automatically plundered from cafes in Nigeria to exploit the good
reputation of ISPs.
Regards,
Ken
> On 8/11/06, Ken Simpson <ksimpson@mailchannels.com> wrote:
> >
> >
> >> On 10 Aug 2006, at 22:07, Barry Shein wrote:
> >> [...]
> >> >The vector for these has been almost purely Microsoft Windows.
> >>
> >> I wonder. From the point of view of a MX host (as opposed to a
> >> customer-facing smarthost), would TCP fingerprinting to identify the
> >> OS and apply a weighting to the spam score be a viable technique?
> >
> >We have been doing that in our traffic shaping SMTP transport for a
> >while now. We have found a 95% correlation between spam sources and
> >Windows hosts. If you drill down to specific versions of Windows, the
> >correlation is even higher.
> >
> >For _blocking_ connections (as opposed to, say, just slowing them
> >down), you must combine host type with reputation information.
> >
> >Regards,
> >Ken
> >
> >--
> >MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com
> >
> >--
> >Suite 203, 910 Richards St.
> >Vancouver, BC, V6B 3C1, Canada
> >Direct: +1-604-729-1741
> >
--
MailChannels: Reliable Email Delivery (TM) | http://mailchannels.com
--
Suite 203, 910 Richards St.
Vancouver, BC, V6B 3C1, Canada
Direct: +1-604-729-1741
