You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by Fred T <sp...@freddyt.com> on 2008/03/10 23:30:12 UTC

Re[2]: Yet another spam blocker?

Hello Steve,

Saturday, March 8, 2008, 11:56:46 PM, you wrote:

> Now, I'm no expert on spam-bots, but it strikes me that the 'bots might want
> to remove failed addresses
> from their lists to make them more efficient.  A 550 error returned at the
> protocol level will immediately
> notify the 'bot that the addressee is bad.  Whether the 'bot then removes
> the addressee from the list
> is a matter of implmentation, but if the reduction in spam directed at the
> Town that we have seen is any 
> indication, the 'bots might just function in this manner (or at least some
> of them).

This is interesting and I wonder why different sites would see
different behavior.    We see a bot attempt to deliver a message and
get rejected and then almost immediately we see the same message from
another bot get rejected.  So from our perspective we see the bots
working together to attempt to circumvent ip based blacklists.
And we block invalid recip's and they keep sending no matter what!

We've been using SpamAssassin for 4 years and blocking during the
SMTP session (or during protocol stage as you state it) and we've
never seen a decrease in spam except for the downtime between new
versions of the malware that drives them!

I have a MRTG graph of # of spam blocked in transit and it's been
consistently 52-56k a day for years!!  I always notice a huge
decrease over the weekend and it picks up big-time during the week.
From 40k on the weekend to an average peak of 54k weekdays.

-- 
Best regards,
 Fred                            mailto:spamassassin@freddyt.com

Re: Yet another spam blocker?

Posted by mouss <mo...@netoyen.net>.

Fred T wrote:
> Hello Steve,
>
> Saturday, March 8, 2008, 11:56:46 PM, you wrote:
>
>   
>> Now, I'm no expert on spam-bots, but it strikes me that the 'bots might want
>> to remove failed addresses
>> from their lists to make them more efficient.  A 550 error returned at the
>> protocol level will immediately
>> notify the 'bot that the addressee is bad.  Whether the 'bot then removes
>> the addressee from the list
>> is a matter of implmentation, but if the reduction in spam directed at the
>> Town that we have seen is any 
>> indication, the 'bots might just function in this manner (or at least some
>> of them).
>>     
>
> This is interesting and I wonder why different sites would see
> different behavior.    We see a bot attempt to deliver a message and
> get rejected and then almost immediately we see the same message from
> another bot get rejected.  So from our perspective we see the bots
> working together to attempt to circumvent ip based blacklists.
> And we block invalid recip's and they keep sending no matter what!
>   

I also see the same zombies retrying many times with a different sender. 
I guess they have some blind retry strategy that consist of retrying 
with a different sender and/or from a different IP. I am not seeing any 
evidence of list washing.

I wanted to see if these were real retries, that is, they occur because 
the transaction is rejected, or if the bots resend whether the 
transaction is rejected or not, so I configured some of the "highly 
targetted" addresses to accept mail. I found that few spam is sent 
multiple times (so that's an automatic retry, even if the message was 
accepted) and other spam is only received once.

Given the size of a spam, it is tempting to accept and discard instead 
of rejecting. unfortunately, this is risky (except for "obviously" 
invalid addresses).

> We've been using SpamAssassin for 4 years and blocking during the
> SMTP session (or during protocol stage as you state it) and we've
> never seen a decrease in spam except for the downtime between new
> versions of the malware that drives them!
>
> I have a MRTG graph of # of spam blocked in transit and it's been
> consistently 52-56k a day for years!!  I always notice a huge
> decrease over the weekend and it picks up big-time during the week.
> From 40k on the weekend to an average peak of 54k weekdays.
>
>
>

Re: Re[2]: Yet another spam blocker?

Posted by Loren Wilton <lw...@earthlink.net>.

> I have a MRTG graph of # of spam blocked in transit and it's been
> consistently 52-56k a day for years!!  I always notice a huge
> decrease over the weekend and it picks up big-time during the week.
> From 40k on the weekend to an average peak of 54k weekdays.

I wonder if this means that the majority of zombies are actually business 
PCs rather than home PCs, and they get turned off over the weekend.

        Loren