[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Which Spam Block List to use for a network?



On Tuesday 22 June 2004 11.37, Niccolo Rigacci wrote:

> You say that because unwanted mail comes often from a dynamic
> address, you will block all dinamic addresses. What do you tink
> if I block all the mail originated from a Windows machine, simply
> because many Windows machine are infected and send viruses/spam?

blocking spam is all about maximizing false negatives while minimizing 
false positives while spending as little effort as possible on the 
problem.

As it happens, blocking dynamic IP ranges does this to some extent. 
Blocking mail from Windows machines probably would get the false 
negatives up quite some way, but unfortunately would probably get a 
higher false positive rate, as there is probably more mail coming  from 
Windows company mailservers than from dynamic IPs. But of course, you 
need to analyze if that's in your situation. If you find that the false 
positives are low enough, be my guest, start blocking by OS.

Additionally, the information regarding dynamic IP ranges is readily 
available. Information on IPs of Microsoft boxes is available only to 
Microsoft, if at all (or, of course, vendors of other spyware running 
on Windows.)

> I work for a firm and we ave about 150 Debian servers installed
> to customers sites, they are connected with adsl
[...]

It would probably be a good idea to provide a mail relay to them, if the 
ISPs mailserver is unusable.
[...]

> They have purchased bare adsl connectivity, why do you want force
> them to purchase also smtp service from an ISP?

Honest question: does this ADSL provider really not provide SMTP 
service?

> You are following an unexistant cause-effect link and you are
> wasting your time. For a virus writer it is a metter of an hour
> to change his code to post to the isp's smtp server instead of
> posting directly. Now you have an huge infrastructure (dynaddr
> lists) perfectly useless that do big harm to the network.

Cause-effect link doesn't matter. Correlation does. Viruses are 
currently written to directly connect to the target MX, so currently 
dynamic IP ranges correlate well with badly maintained spam-sending 
machines.

If Virus writers change, or if home users suddenly start paying 
attention to basic computer security, the correlation will go away, and 
so will the usefullness of dynamic IP ranges as spam indicator.

That said, personally, I don't block on dynamic IPs - too many of my 
friends run mailservers at home, so I'd be hurting myself too much.

cheers
-- vbi

(For illustration: the same argument can be made for blocking whole 
countries: I don't know anybody in Brazil, or Venezuela, or China, or 
Korea. Blocking those IP ranges eliminates a lot of spam. Again: there 
is no cause-effect link, but still, depending on requirements, blocking 
such ranges is a useful tool.)

-- 
Beware of the FUD - know your enemies. This week
    * Patent Law, and how it is currently abused. *
http://fortytwo.ch/

Attachment: pgpJ4F16giW7q.pgp
Description: signature


Reply to: