Just some additional data points as I have been following this and other
related C-R threads for a while now.
On Thu, 28 Aug 2003 12:35:25 +0100
"Karsten M. Self" <kmself@ix.netcom.com> wrote:
[ Snip ]
> Specific to my own experience: over half the C-R challenges (TMDA or
> otherwise) I've received have been for mail I didn't send. I expect
> this trend to increase in both magnitude and percentage. I'm likely to
> either ignore messages or filter them with other spam.
The only C-R challenges I've gotten were when I actually responded to Alan
Conner on D-U by accident. He had a habit of setting his reply-to and
Sylpheed-Claws honored it. Normally I hit reply and get the list. This
accounts for 3 C-R ever. Since they I've gotten at least a hundred or so in
recent days thanks to the virus going around.
[ Snip ]
> More chillingly, other users post Sobig.F stats:
> TMDA and Sobig.F virus - praise
> Sven Neuhaus <sn@heise.de>
> Thu, 21 Aug 2003 17:04:09 +0200
> http://mla.libertine.org/tmda-users/2003-08/msg00120.html
> In the last 3 days, I received more than 4000 copies of the Sobig.F
> virus. Thanks to TMDA, I didn't even notice it until today (when I
> noticed the 330megs in my pending folder).
> That's 4,000 innocent parties spammed with C-R challenges, if I'm
> interpreting what the meaning of 330 MiB in the pending folder is.
This... is scary. Within hours of one machine trying to hit me I had
blacklisted him at the firewall and implored my secondary MX to do the same.
It was because each instance of a bounce or the virus itself was 100k. Praise
for being ignorant of 4Gb of traffic being moved!? Praise for moving 4Gb in
bounces? That's bordering on criminal.
[ Snippage ]
> This then leaves a small number of messages daily to be assessed -- they
> are not viruses, spam, or on an existing whitelist.
> My question at this point is: why not simply look at the damned mail
> and figure out for yourself whether or not it's worth reading? We're
> probably talking something like a couple of items, a few times a week.
I posted a message to d-u a few weeks back with hard stats about that
narrow band. I think it came down to 4 a week as my rough estimate. And, so
far, not a single piece in that band was legitimate. I was in the process of
adjusting sa-exim's limitations downward since the band wasn't so narrow any
more. With Bayesian filters on, razor checked and auto-learning set to -2 and
+5 for ham and spam respectively my average ham score was quickly approaching
-5 and my average spam score was pushing well over 6 with very little, if
anything, in between. I think I saw 1-2 pieces a day with scores between
those two points. I figure if I adjusted my scores downward I would have been
able to cut that close to 1 every 10 days or so.
--
Steve C. Lamb | I'm your priest, I'm your shrink, I'm your
PGP Key: 8B6E99C5 | main connection to the switchboard of souls.
-------------------------------+---------------------------------------------
Attachment:
pgpXbjNr_pbSS.pgp
Description: PGP signature