On Tuesday 22 June 2004 11.37, Niccolo Rigacci wrote:
> You say that because unwanted mail comes often from a dynamic
> address, you will block all dinamic addresses. What do you tink
> if I block all the mail originated from a Windows machine, simply
> because many Windows machine are infected and send viruses/spam?
blocking spam is all about maximizing false negatives while minimizing
false positives while spending as little effort as possible on the
problem.
As it happens, blocking dynamic IP ranges does this to some extent.
Blocking mail from Windows machines probably would get the false
negatives up quite some way, but unfortunately would probably get a
higher false positive rate, as there is probably more mail coming from
Windows company mailservers than from dynamic IPs. But of course, you
need to analyze if that's in your situation. If you find that the false
positives are low enough, be my guest, start blocking by OS.
Additionally, the information regarding dynamic IP ranges is readily
available. Information on IPs of Microsoft boxes is available only to
Microsoft, if at all (or, of course, vendors of other spyware running
on Windows.)
> I work for a firm and we ave about 150 Debian servers installed
> to customers sites, they are connected with adsl
[...]
It would probably be a good idea to provide a mail relay to them, if the
ISPs mailserver is unusable.
[...]
> They have purchased bare adsl connectivity, why do you want force
> them to purchase also smtp service from an ISP?
Honest question: does this ADSL provider really not provide SMTP
service?
> You are following an unexistant cause-effect link and you are
> wasting your time. For a virus writer it is a metter of an hour
> to change his code to post to the isp's smtp server instead of
> posting directly. Now you have an huge infrastructure (dynaddr
> lists) perfectly useless that do big harm to the network.
Cause-effect link doesn't matter. Correlation does. Viruses are
currently written to directly connect to the target MX, so currently
dynamic IP ranges correlate well with badly maintained spam-sending
machines.
If Virus writers change, or if home users suddenly start paying
attention to basic computer security, the correlation will go away, and
so will the usefullness of dynamic IP ranges as spam indicator.
That said, personally, I don't block on dynamic IPs - too many of my
friends run mailservers at home, so I'd be hurting myself too much.
cheers
-- vbi
(For illustration: the same argument can be made for blocking whole
countries: I don't know anybody in Brazil, or Venezuela, or China, or
Korea. Blocking those IP ranges eliminates a lot of spam. Again: there
is no cause-effect link, but still, depending on requirements, blocking
such ranges is a useful tool.)
--
Beware of the FUD - know your enemies. This week
* Patent Law, and how it is currently abused. *
http://fortytwo.ch/
Attachment:
pgpeAujtaMq_z.pgp
Description: signature