on Tue, Sep 28, 2004 at 10:00:29PM +0200, Marco d'Itri (md@Linux.IT) wrote:
> On Sep 28, Florian Weimer <fw@deneb.enyo.de> wrote:
>
> > Unfortunately, using BGP to combat spam on a large scale will result
> > in more spammers attacking BGP. As BGP provides no real
> This is not really a plausible threat model.
> And as you noticed, by-ASN blocking is very resource-intensive.
Bullshit.
- You identify ASNs contributing significant quantities of spam. This
can be done through a small number of spamtrap addresses (which may
or may not be single-use addresses). These stats are updated
independently of incoming mail on an hourly, daily, weekly,
fortnightly, monthly, or blue-moonly basis.
- You query the ASN to find its associated CIDR ranges. This can be
done through several network sources. Since the major (say, top
four) ASN spam sources change little month-to-month, and since there
are so few who contribute so majorly to spam, this is a minor task
even if manually completed, and it can almost certainly be
automated.
- You have a set of rules based on IP ranges (CIDRs advertised for the
ASN) which you feed to your antispam defenses. These may be
firewall rules, SMTP rules, or content-filtering rules. It is *NOT*
necessary to perform the DNS query for each incoming email, though
you may of course do so if you choose.
While I'm a fan of content-based filtering (e.g.: SpamAssassin,
Bayesian filters), I have to admit that they scale somewhat poorly on
large sites (though networked operation on a round-robin cluster might
be an improvement). By skimming off a large volume (25 - 50%) of spam
straight off the top, you're reducing your filtering load
commensurately.
Details on how one large US academic site gets very effective spam
filtering (95%+ from what I can tell) are in the following presentation.
The author's website has several other interesting articles and
presentations:
http://darkwing.uoregon.edu/~joe/icplspam/icpl-spam-presentation.pdf
http://darkwing.uoregon.edu/~joe/
More to the point, Marco's missed the concept entirely that ASN & CIDR
provide _data_ on _where_ spam is coming from, which can be used to tune
processes appropriately.
> I suggest the author of the original statistics to also try classifying
> the spam by announced network prefix, which I believe will show more
> interesting aggregation properties.
I've demonstrated how to do this: my method offers you *both* options.
CIDR and ASN are included in the same DNS query.
Peace.
--
Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Save Bob Edwards! http://www.savebobedwards.com/
Attachment:
signature.asc
Description: Digital signature