Fred T wrote:
Hello Steve,
Saturday, March 8, 2008, 11:56:46 PM, you wrote:
Now, I'm no expert on spam-bots, but it strikes me that the 'bots might want
to remove failed addresses
from their lists to make them more efficient. A 550 error returned at the
protocol level will immediately
notify the 'bot that the addressee is bad. Whether the 'bot then removes
the addressee from the list
is a matter of implmentation, but if the reduction in spam directed at the
Town that we have seen is any
indication, the 'bots might just function in this manner (or at least some
of them).
This is interesting and I wonder why different sites would see
different behavior. We see a bot attempt to deliver a message and
get rejected and then almost immediately we see the same message from
another bot get rejected. So from our perspective we see the bots
working together to attempt to circumvent ip based blacklists.
And we block invalid recip's and they keep sending no matter what!
I also see the same zombies retrying many times with a different sender.
I guess they have some blind retry strategy that consist of retrying
with a different sender and/or from a different IP. I am not seeing any
evidence of list washing.
I wanted to see if these were real retries, that is, they occur because
the transaction is rejected, or if the bots resend whether the
transaction is rejected or not, so I configured some of the "highly
targetted" addresses to accept mail. I found that few spam is sent
multiple times (so that's an automatic retry, even if the message was
accepted) and other spam is only received once.
Given the size of a spam, it is tempting to accept and discard instead
of rejecting. unfortunately, this is risky (except for "obviously"
invalid addresses).
We've been using SpamAssassin for 4 years and blocking during the
SMTP session (or during protocol stage as you state it) and we've
never seen a decrease in spam except for the downtime between new
versions of the malware that drives them!
I have a MRTG graph of # of spam blocked in transit and it's been
consistently 52-56k a day for years!! I always notice a huge
decrease over the weekend and it picks up big-time during the week.
From 40k on the weekend to an average peak of 54k weekdays.
