[TAG] (forw) Re: More on the antispam regime (was: Delaveaux)
rick at linuxmafia.com
Fri Apr 21 10:44:35 MSD 2006
----- Forwarded message from "Karsten M. Self" <karsten at linuxmafia.com> -----
Date: Thu, 20 Apr 2006 22:31:37 -0700
From: "Karsten M. Self" <karsten at linuxmafia.com>
To: TAG <tag at lists.linuxgazette.net>
To: Rick Moen <rick at linuxmafia.com>
Subject: Re: More on the antispam regime (was: Delaveaux)
on Tue, Apr 18, 2006 at 12:21:25PM -0700, Rick Moen (rick at linuxmafia.com) wrote:
> Jimmy Regan replied to TAG querent Marcin Niewalda <marcin at okiem.pl>:
> > Myl, e to pomyka: pan napisa do listy adresowego magazynu internetu.
> > Dlatego e nasz magazyn jest napisany w angielskim, przetumaczyem
> > e-mail Pana. Adres, kt?rego Pan szuka, jest Delaveaux at
> > heagmedianet.de ale myl, e ten pan mowi tylko po angielsku i po
> > niemiecku; a nie wiem, czy ten adres jest nadal aktualny.
> For example, if the prior-hop IP on a 419-fraud spam corresponds to
> hostname mx105.exampleisp.com, then blackholing it would be dumb: For
> one thing, impliedly exampleisp.com has at least 104 other mail
> exchangers. For another, I'm not necessarily eager to pronounce
> anathema on exampleisp.com just because of _one_ 419 fraudmail. That
> could happen to almost anyone operating an MTA. It could happen to me
> (but only until I tracked down the user on my system who did it and...
> reasoned with him).
NB: I've found that over the past several years, 419ers seem to
overwhelmingly adopt a single webmail provider. In the past year it's
been Hotmail and Disney's Go.com service (I've worked with both
organizations to, er, encourage resolution). Last I checked it seemed
to be settling with a particularly unsavor Italian ISP, which may just
kill a flock of seagulls with one 1980s pop rock reference.
> I'm reminded of a passage in my friend Karsten Self's (CC'd) excellent
> recent analysis paper "CIDR House Rules: Use of BGP Router Data to
> Identify and Address Sources of Internet Abuse":
Y'know, I think I know that guy....
> While blocklisting is one possible option, I'd very much like to see
> the discussion move beyond that point. A preferred approach is what I
> term "proportionate response". First: you'll likely want rules to
> traffic percentage, and severity of abuse, as suited specific needs.
> Fine levels of control are therefore possible; operators are not
> reduced to all-or-nothing responses to abuse.
> I don't yet have the toolsets to implement Karsten's excellent advice,
> though I admire its judicious approach.
Thanks. Re-reading that at a month or so's remove, I think I still like
it. I'd also _really_ like to see some tools implementing the concepts
>  http://linuxmafia.com/~karsten/cidr-house-rules.pdf Recommended.
> Abstract: "BGP router data may be used to identify contiguous regions of
> network space from which significant abuse is observed. Experience
> suggests a strong power-law relationship in ranking such sources.
> Applying this knowledge in abuse countermeasures may markedly reduce
> filtering overhead while minimizing inadvertant blocking and increasing
> total costs to abuse-tolerant networks."
Hrm.... That almost sounds sufficiently interesting to read ;-)
Karsten M. Self <karsten at linuxmafia.com> http://linuxmafia.com/~karsten
Ceterum censeo, Caldera delenda est.
----- End forwarded message -----
More information about the TAG