From: "MennovB" <[EMAIL PROTECTED]>
jdow wrote:Menno, if the Earthlink "progressive delays" strategy is adopted theneven spam relayed through ISPs becomes time expensive.Personally I don't believe much in delaying/throttling, there are so much zombies that it's just a matter of dispersing the load intelligently. I can see in my mail-logs in the rejects that tactics like that are used, many of the same spam arrives at the same moment on our server coming from different addresses all over the world. And each zombie picks another one of our mailaddresses that got on a spamlist. But there is also a spambot-version that uses a kind of burst-mode, in about 1 minute it spams all addresses on the spamlist at topspeed and then that zombie is (until now) never used again, so blocking it on IP is somewhat useless. Maybe throttling that one can help a little, but not very much I think.
One nice thing about throttling is that it gives the BLs more time to list the spam engine/zombie. Every little bit helps. (Add some real AI to the picture and you can figure out a user's email profile and look for changes. The trick is to distinguish "user home sick" from "machine sick with zombie disease". I suspect it can be done. Of course, if the email pattern for a user is violated then divert a copy of the email, run it through something like SpamAssassin, and discard it. If it hits as postive spam then shut down the user's connection to get their attention. (Use routers to force EVERYTHING to a support web site with the message that "Your machine is sending spam. It may be infected. Please communicate with the support people for help fixing the problem.")
jdow wrote:Add to that smtp-auth pointing directly to the perpetrator and Earthlink has a clear excuse to block email except to their help desk or even to block all Internet access except to a page of their own suggesting that the perpetrator or malware on the perpetrator's machine is spewing spam and the situation should be remedied. "Help can be found here...." Of course, then if you have the spammer friendly ISPs and registrars in the picture it's all null and void. Something I do not know and suspect is REALLY hard to ascertain until recently when Earthlink went smtpauth only, is how much REAL spam actually does originate from Earthlink servers. If there is much they are certainly canny enough not to spam Earthlink customers for some reason.I have no knowledge about the Earthlink situation, is direct SMTP is blocked? By the way here dialup/dynamic addresses are becoming a rarity (or at least you keep your address for several months even on dynamic cable) so mostly you don't need SMTP-auth to find the spammer. There is very little spam coming in here from Earthlink, the last one (that is detected) is from July the 28 coming directly from a cable.earthlink.net address advertising an erotic site. So I guess this means direct SMTP is still possible, too bad IMHO..
At present it appears Verizon, the DSL provider here, may have port 25
blocked here. Their email servers do NOT accept user email to port 25,
I believe. Nope - can't access it, whether due to the Verizon block or
their servers not accepting the connection. 587 with authentication works
just fine.
The direct in that case is probably the fault of the underlying cable
provider more than Earthlink. Did the spam come through the Earthlink
servers or merely from an address that claimed to be Earthlink? By the
way, there is no such address as "cable.earthlink.net". The address
may have been spoofed.
{^_^}
{^_^}
