On Sat, 25 Aug 2007, Marc Perkel wrote: > Rob McEwen wrote: > > > (2) On the other hand, consider the scenerio where a single e-mail > > address is Joe Jobbed in millions of spams... and that address is > > valid (and this is quite common as worms play musical chair with > > infected computers address books... using real, not guessed, > > addresses!). If more ISPs were using SAV... particularly large ones... > > wouldn't that essentially triigger such a large amount of SAV traffic > > for that particular innocent domain's mail server that it would then > > turn into a DDOS attack... just for a single large spam run? > > If someone did that their IP address would be quickly blacklisted > and their server shut down. They wouldn't be able to send millions > of emails that way. Your senereo is impossible.
Why do you think spammers use botnets? (FYI, "scenario") > > Therefore, I suppose that SAV is relatively harmless if fewer and > > smaller ISPs use it... but it could cause many problems if more widely > > adopted. It fails the "what if everyone were doing this" test. > > You have to do SAV right. There is no guarantee people will do it "right". If it's a DDoS risk when improperly implemented, then people are right to be suspicious of it if not outright hostile to it. > I eliminate all the spambot spam first. Then I cull out the > blacklisted spam. Then I fasttrach the whitelisted hosts which > allows about 65% of all god email through. Then I cull out other > tricks that only spammers use. I then verify the recipient and > after all that I verify the sender. So I'm only verifying less > that 1% of all incoming connections. But the verification cuts out > a lot of spam before going into SA. Bravo for you. How many admins when presented with an "Enable SAV" checkbox in their MTA configuration wizard are going to worry about it to the degree you have? Or even be aware of the issues surrounding its use? How many will say "Oooo! Shiny!" and enable it without taking any steps to mitigate abusive failure modes? > And - more importantly - spammers don't use my donains to spam > others because my servers are SAV friendly and spammer prefer > using domains that either pass everything. Question: how do you know they aren't using forged addresses from your domains? I don't doubt the claim, I just wonder how you're determining that fact. -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ [EMAIL PROTECTED] FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. -- Brian Kantor in a.s.r ----------------------------------------------------------------------- Today: The 1928th anniversary of the destruction of Pompeii
