On Sun, 3 Apr 2005, Dave Rand wrote: > [In the message entitled "botted hosts" on Apr 3, 19:13, Petri Helenius > writes:] > > > > I run some summaries about spam-sources by country, AS and containing > > BGP route. > > These are from a smallish set of servers whole March aggregated. > > Percentage indicates incidents out of total. > > Conclusion is that blocking 25 inbound from a handful of prefixes would > > stop >10% of spam. > > > > This would be correct. In the bigger perspective, blocking port 25 on all > ISP's consumer circuits would currently stop over 99% of the spam. Yes, > spammers would adjust to this over time. It is still a great idea to block > port 25 by default, and unblock it on customer request.
It would probably stop 99% of ALL email, too. What, your customers don't have email servers? But __you__ have an email server. Unblocking on customer request is an expensive operation, for both the ISP and the customer. > That means that if just the ISPs that we have identified as having > "dynamically assigned" addresses were to install port 25 blocking, more than > 1/3 of the spam would vanish. Err, not likely. SPF came out, and now bots can find the ISPs "closed relays" with very little trouble at all. (Funny coincidence that SPF should come out just as the open relay blacklists are mostly closing down) But even without SPF, if it was really made necessary, without doubt abusers would include code to figure out the config files for the roughly 1000+ email clients out there. Or perhaps, bots would start to sniff packets looking for an outgoing SMTP connection by an authorized user. For many years I've told people (but they never seem to listen): __Everyone__ is authorized to send email, and to have relay services, right up until their access is terminated. Bots can use that. Schemes for blocking port 25 assume that bots aren't upgradeable. And they frequently assume that network operations changes are free---Comcast reported that it would cost $58 million to implement port 25 blocking and notify customers, just for Comcast. On a deeper level, I discovered (its not at proof level, but probably at 'strong conjecture' level) that results from information theory show that spam cannot be stopped technically. I'll write it up a bit more formally, and post a link. (And I'll see if I can carry it out to a proof) To summarize, I show that spam is equivalent to a covert/sneaky channel [or rather, "sneaky channel" in the network liturature and other names in other areas of liturature--e.g. "covert channel" is usually specific to multi-user OS analysis, but the concepts are the same]. Then I show that since one can't prove an information system is free of covert/sneaky channels, it can't be proven free of spam either. And the conclusion is that a technical solution to spam doesn't exist. Yes, there are things that can still be done---one can continue to play whack-a-mole, but it never gets better than whack-a-mole. There are still technical methods that aren't fully exploited (text analysis for intent, bayesian, etc) but for each of these things, there are countermeasures that the abuser can do to fool them. If you want to talk information theory and spam, contact me off-list. --Dean -- Av8 Internet Prepared to pay a premium for better service? www.av8.net faster, more reliable, better service 617 344 9000