On Thu, Jan 04, 2007 at 07:53:45PM +0530, Suresh Ramasubramanian wrote: > When you run something larger than a toy network, you dont prick
If users pay for the traffic passing through the interface in full, it stops being your problem and becomes theirs. It's perfectly possible to use a combination of established techniques to make the problem 99.9% invisible, and in fact it has been that way since the first spam. If users are unwilling, unable or too cheap to have someone setting up a local filter for them, they will migrate to communication methods less susceptible to abuse. It doesn't matter what they use, while they still buy service from you. Spam is traffic, and if traffic passes your infrastructure, you're making a buck for each GByte, being just a content-agnostic transporter. I don't want the transport layer to start guessing what I want. The guesses are usually worse than useless. The network intelligence is cheapest and most bountiful at the periphery, in fact, best being owned and operated by the user. > yourself in the foot in a pin, even if it blows a big hole in the other > guys foot. Too many "other guys", and its your only pair of feet. If you're running central installations prone to become hotspots you're setting yourself up for a world of pain. If it hurts, you shouldn't be doing it. If a user has to run his own mail server on his own address, he will be the first to notice when that address will suddenly getting bounces, and call your tech support, which will happy to sell him an antizombie package, or a hardened system, all for a price, of course. > Yeah. Problem is separating it from legitimate email coming from that > same corner of the net. If I could firewall out say 61/8 I'd get rid of > a ton of spam. And also get rid of a ton of legit email as well. One customer, one IP (if there's not enough, here's a major incentive to move to IPv6), one firewall, one filter. If they want a cheap and dumb solution for themselves, they can firewall off whole regions. If they don't, they can pay somebody (e.g. you) to use that information for a greylist tarpit, a whitelist, a content filter, or something even more fancy. The fancier, the more work, the pricier. Spammers are creating new product niches for you. It's your job to fill them. > And how distributed IS the spam? Quite a lot actually, with some > obvious spikes from sources. Rather more distributed than I'd feel > comfortable with supporting your assertion. How many zombies are active at a given time on the network? Only a few ten millions. What is the half life time of a zombie IP? Minutes to years, with the peak probably somewhere in hour range. If you can't send more than a few spams from that IP without it being listed within a minute or less, you effectively can't reach people who use above set of defenses. > Here's by AS > > 4134 (Chinanet) 7.61% > 4837 (China Netcom) 5.05% > 4766 (Korea) 4.22% > 6147 (Telefonica Peru) 2.34% The point is that the machine can't do IP hopping on second scale without becoming useless to its owner. The zombie IP cloud doesn't have a lot of churn, and whatever churn there is the next IP issued is not far from the original, typically. > and then various others (TDE Spain, TPNet Poland, TTNet Turkey, Verizon, > AtHome Benelux, Servint, Proxad DSL, etc) having 1 to 2 percent each > > Countrywise - US 25.85%, China 17.68%, Korea 6.73%, Russia 3.83%, Poland > 3.61%, France 3.12%, Spain 3.04%, and then Romania, HKG, India, Japan, > Taiwan, the UK etc falling between 1 to 2 percent. All good points, but not addressing the things I meant. -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
signature.asc
Description: Digital signature