Re: [Fwd: Re: Spamassasin over RBL, was Re: rblsmtpd -t?]
On Tue, 7 May 2002, Craig Sanders wrote:
> On Tue, May 07, 2002 at 12:22:26PM +1000, Russell Coker wrote:
[SNIP]
> > It is relevant. In my spare time I run two small ISPs in Melbourne.
> > The total user-base of them both is <1000 users, logs are carefully
> > watched, and spam incidence is almost zero. 18 months ago I was
> > running one of Europe's larger ISPs with >500,000 users (probably
> > comparable to the entire online population of Australia). The amount
> > of spam reports was hugely higher as you would expect primarily
> > because of having a larger user base.
>
> it's still not relevant. a host is either a spam problem or not. if it
> is a problem, then it should be blacklisted regardless of the size of
> the ISP responsible for it. if it's not a problem, then it shouldn't be
> listed.
That is clear reasoning. However, things become less clear as soon as
you go on to define *when* a host must be considered a spam problem
then.
The criteria for that are never unfallible, otherwise we wouldn't even
be having this discussion. They are always based on some heuristic that
reasons based on indirect data.
So what I don't understand is why you'd consider any heuristic that
pulls the size of the host into the equasion as invalid a priori?
It may be just as valid as anything else.
Saying that only the information may be used whether a host is an open
relay is too simple a way out of this discussion. Sure, that criterium
is easy enough; there are no negative consequences at all to closing the
MTA, so the errors in the reasoning (spam often comes through open
relays, therefore all open relays are spam sources) don't really matter
because anybody can and should fix the problem anyway. Also, not
unimportantly, you can perform a conclusive test without manual
intervention.
However, this doesn't solve the problem at hand: spammers that just spam
from their IPs directly to recipient's MXes are not included at all in
this heuristic.
I hope you can follow the argument that it would be desireable to do
something about *that* as well, and that it makes sense for people to
try and devise some heuristic that shows correlation between its output
and whether a host is a spam problem.
Then, you may consider Spamcop's heuristic bad, sure. But so far it's
the only serious attempt of attacking the problems that are left once
you take the open relays out.
If you have a better way to decide whether a host is a direct spam
source than Spamcop's (effectively the complaints / output volume
ratio), then by all means, please share your wisdom. We may learn
something.
Even a heuristic that would leave out the complaints and use e.g.
Spamassassin's rules, you'd still need to factor in the output volume.
And it makes sense too, you know. If you would just change 'host' to
'person'.
At which point do you suggest to punish someone by disconnecting him
from the internet? After sending one spam message? Two? Even if he
sends a lot of other, highly esteemed mail, contributing greatly to arts
and sciences?
The point is, you'll inevitably arrive at some ratio to the total number
of messages sent. There's not only nothing wrong with Spamcop using
that.
Cheers,
Emile.
--
E-Advies / Emile van Bergen | e-advies@evbergen.xs4all.nl
tel. +31 (0)70 3906153 | http://www.e-advies.info
--
To UNSUBSCRIBE, email to debian-isp-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: