on Tue, Sep 28, 2004 at 10:00:29PM +0200, Marco d'Itri (md@Linux.IT) wrote: > On Sep 28, Florian Weimer <fw@deneb.enyo.de> wrote: > > > Unfortunately, using BGP to combat spam on a large scale will result > > in more spammers attacking BGP. As BGP provides no real > This is not really a plausible threat model. > And as you noticed, by-ASN blocking is very resource-intensive. Bullshit. - You identify ASNs contributing significant quantities of spam. This can be done through a small number of spamtrap addresses (which may or may not be single-use addresses). These stats are updated independently of incoming mail on an hourly, daily, weekly, fortnightly, monthly, or blue-moonly basis. - You query the ASN to find its associated CIDR ranges. This can be done through several network sources. Since the major (say, top four) ASN spam sources change little month-to-month, and since there are so few who contribute so majorly to spam, this is a minor task even if manually completed, and it can almost certainly be automated. - You have a set of rules based on IP ranges (CIDRs advertised for the ASN) which you feed to your antispam defenses. These may be firewall rules, SMTP rules, or content-filtering rules. It is *NOT* necessary to perform the DNS query for each incoming email, though you may of course do so if you choose. While I'm a fan of content-based filtering (e.g.: SpamAssassin, Bayesian filters), I have to admit that they scale somewhat poorly on large sites (though networked operation on a round-robin cluster might be an improvement). By skimming off a large volume (25 - 50%) of spam straight off the top, you're reducing your filtering load commensurately. Details on how one large US academic site gets very effective spam filtering (95%+ from what I can tell) are in the following presentation. The author's website has several other interesting articles and presentations: http://darkwing.uoregon.edu/~joe/icplspam/icpl-spam-presentation.pdf http://darkwing.uoregon.edu/~joe/ More to the point, Marco's missed the concept entirely that ASN & CIDR provide _data_ on _where_ spam is coming from, which can be used to tune processes appropriately. > I suggest the author of the original statistics to also try classifying > the spam by announced network prefix, which I believe will show more > interesting aggregation properties. I've demonstrated how to do this: my method offers you *both* options. CIDR and ASN are included in the same DNS query. Peace. -- Karsten M. Self <kmself@ix.netcom.com> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Save Bob Edwards! http://www.savebobedwards.com/
Attachment:
signature.asc
Description: Digital signature