I still have spammers trying to send mail to bogus addresses (users that left the company or never existed in the first place) in which the traffic doesn't fall off. Actually, it has been getting heavier in recent weeks. Some of the addresses are from people that haven't worked here in years. Yesterday's stats below... I'm working on a way to get my linux box running SA2.6 to talk to the hardware firewall and block on the IP level automagically, that way my T isn't saturated with unnecessary traffic. It would only block port 25 traffic from the spammers IP...
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Thursday, October 30, 2003 1:13 AM To: Upwood, Jim Subject: Spam Stats for 10/29/2003 Bond, Schoeneck and King Spam Statistics Total Incoming Internet E-mail (For REAL bsk users): 8185 Total Spam found by SpamAssassin: 4604 Total Ham (Legitimate E-mail): 3581 Total number of incoming mails sent to bogus addresses: 3710 56.24% of our Incoming Internet E-mail is Spam! -Jim Jim Upwood System Administrator Bond, Schoeneck, and King Syracuse, NY -----Original Message----- From: VonEssen, John [mailto:[EMAIL PROTECTED] Sent: Thursday, October 23, 2003 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [SAtalk] Re: [OT] What is next step? I am not sure if tar-pitting at a slow kbps rate will work. "If" I were a professional spammer, I would have a cluster of mail servers with aggressive timeouts. The timeouts would only allow mail to go to reasonably fast hosts. I would then use a fallback mx host to deal with all the slow mail. For the tar-pitting to work, you would have to integrate it on a massive level. So many people (1000's) across the globe would have to setup standalone mail hosts with a capped data pipe, at say 16Kbps. Then they would have to post email addresses all over the internet to be harvested. If you go this route then, maybe it might be easier to just aggressively post invalid email addresses all over the internet. By invalid, I mean a mx record exists, but the address will result in a 550. As a result the harvesting of addresses will become a dirtier process, yielding poorer lists. All this relies on many assumptions. We assume spammers regularly harvest addresses off usenet. We also assume that they clean their list when address appears to be bad. Has anybody tested this? As an experiment, I was thinking about posting a spamtrap address, and then see how long it takes for a sizable amount of spam to come in. Then, remove the user, resulting in 550. Then monitor inbound attempts for that address and see at what rate the traffic falls off. For all we know, maybe spammers don't clean their lists, and they are already wasting resources on bad addresses. John -----Original Message----- From: Jens Benecke [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 21, 2003 3:13 PM To: [EMAIL PROTECTED] Subject: [SAtalk] Re: [OT] What is next step? Chris Santerre wrote: > I block about 98% of the spam to my users. Many SA users at other > companies simply mark it and deliver. Lets say for sake of argument that > we can sustain a successful rate of tagging or blocking 90% of spam. > > What is the next step? > > We have all posted stats that prove that over 50% of email is spam. Now > that we can tag or block (to user), it doesn't stop the traffic. I still > have 50% traffic on the server as useless. What do we do? I'm serious > about this. I've had a new found passion against spammers this weekend, > and I wish to go further. (They lambasted my grandfather over the week on > his dialup. Vengeance will be mine!) There is a way, though I haven't tested it yet (if the days only had 36 hours, ... plus 24 hours night) We all know blackhole lists. Most/many people block or score based on blackhole lists. How about tying spammers' resources by not blocking, but TARPITTING anybody who is on a (confirmed?) blackhole lists like SPEWS? The point is to prevent more spam. The only way to do that is to make the spammer *believe* it can send you more spam and invest resources into the task. Not accepting spam or dropping it after receiving it will just make the spammer move to the next open SMTP or proxy. But what if mail, that comes from a spammer IP, is accepted, with 10 bytes per second? Or less? Just enough so that the spammer doesn't drop the connection. Then a single mail will take minutes instead of seconds to deliver. Maybe hours. That means during that time, some of the spammer's resources are blocked, and he cannot spam anybody else. (e.g. the spammer sends max. 100 mails at a time, now he can only send 99 mails at a time, because one task is blocked. If enough people do it ...) Ask Google for "teergrube" (German for tarpit), there are a lot of people doing this already, but not (yet) for mails. -- Jens Benecke ------------------------------------------------------- This SF.net email is sponsored by OSDN developer relations Here's your chance to show off your extensive product knowledge We want to know what you know. Tell us and you have a chance to win $100 http://www.zoomerang.com/survey.zgi?HRPT1X3RYQNC5V4MLNSV3E54 _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Spamassassin-talk mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/spamassassin-talk
