[TAG] (forw) Re: More on the antispam regime (was: Delaveaux)

Rick Moen rick at linuxmafia.com
Fri Apr 21 10:44:35 MSD 2006 

----- Forwarded message from "Karsten M. Self" <karsten at linuxmafia.com> -----

Date: Thu, 20 Apr 2006 22:31:37 -0700
From: "Karsten M. Self" <karsten at linuxmafia.com>
To: TAG <tag at lists.linuxgazette.net>
To: Rick Moen <rick at linuxmafia.com>
Subject: Re: More on the antispam regime (was: Delaveaux)

on Tue, Apr 18, 2006 at 12:21:25PM -0700, Rick Moen (rick at linuxmafia.com) wrote:
> Jimmy Regan replied to TAG querent Marcin Niewalda <marcin at okiem.pl>:
> 
> > Myl, e to pomyka: pan napisa do listy adresowego magazynu internetu.
> > Dlatego e nasz magazyn jest napisany w angielskim, przetumaczyem
> > e-mail Pana. Adres, kt?rego Pan szuka, jest Delaveaux at
> > heagmedianet.de ale myl, e ten pan mowi tylko po angielsku i po
> > niemiecku; a nie wiem, czy ten adres jest nadal aktualny.

<...>

> For example, if the prior-hop IP on a 419-fraud spam corresponds to
> hostname mx105.exampleisp.com, then blackholing it would be dumb:  For
> one thing, impliedly exampleisp.com has at least 104 other mail
> exchangers.  For another, I'm not necessarily eager to pronounce
> anathema on exampleisp.com just because of _one_ 419 fraudmail.  That
> could happen to almost anyone operating an MTA.  It could happen to me
> (but only until I tracked down the user on my system who did it and... 
> reasoned with him).

NB:  I've found that over the past several years, 419ers seem to
overwhelmingly adopt a single webmail provider.  In the past year it's
been Hotmail and Disney's Go.com service (I've worked with both
organizations to, er, encourage resolution).  Last I checked it seemed
to be settling with a particularly unsavor Italian ISP, which  may just
kill a flock of seagulls with one 1980s pop rock reference.
 
> I'm reminded of a passage in my friend Karsten Self's (CC'd) excellent
> recent analysis paper "CIDR House Rules:  Use of BGP Router Data to
> Identify and Address Sources of Internet Abuse"[1]:

Y'know, I think I know that guy....
 
>    While blocklisting is one possible option, I'd very much like to see
>    the discussion move beyond that point.  A preferred approach is what I
>    term "proportionate response".  First: you'll likely want rules to

<...>

>    traffic percentage, and severity of abuse, as suited specific needs.
>    Fine levels of control are therefore possible; operators are not
>    reduced to all-or-nothing responses to abuse.
> 
> I don't yet have the toolsets to implement Karsten's excellent advice,
> though I admire its judicious approach.  

Thanks.  Re-reading that at a month or so's remove, I think I still like
it.  I'd also _really_ like to see some tools implementing the concepts
emerge.

> [1] http://linuxmafia.com/~karsten/cidr-house-rules.pdf  Recommended.
> Abstract:  "BGP router data may be used to identify contiguous regions of
> network space from which significant abuse is observed.  Experience
> suggests a strong power-law relationship in ranking such sources.
> Applying this knowledge in abuse countermeasures may markedly reduce
> filtering overhead while minimizing inadvertant blocking and increasing
> total costs to abuse-tolerant networks."

Hrm....  That almost sounds sufficiently interesting to read ;-)


Peace.

-- 
Karsten M. Self <karsten at linuxmafia.com>        http://linuxmafia.com/~karsten
    Ceterum censeo, Caldera delenda est.

----- End forwarded message -----

More information about the TAG mailing list