You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@spamassassin.apache.org by mouss <us...@free.fr> on 2006/04/11 21:52:10 UTC

relay distance and spam [was xxxl spam]

Mark Martinec wrote:
>   http://www.ijs.si/software/amavisd/fig1.gif
>     Spam score vs. IP distance in hops (our server is
>     in European academic network Geant)
> 

This one is amazing. there seems to be an empty space (most mail has 
nhops <= 10 or => 14). I would "guess" that most ham wih large nhops is 
from mailing lists. so the question is what would be the graphic if you 
take into account:
- mailing lists forwarding
- multiple "internal" hops at either sender or receiver (I have N 
Received headers added by my own MTA. and for mail fetched from an MSP, 
there are still more....).

I would conjecture that most legitimate mail has two "real" hops (the 
sending MTA and the receiving MTA).

Re: relay distance and spam [was xxxl spam]

Posted by Mark Martinec <Ma...@ijs.si>.

On Tuesday April 11 2006 23:17, Kelson wrote:
> mouss wrote:
> > - multiple "internal" hops at either sender or receiver (I have N
> > Received headers added by my own MTA. and for mail fetched from an MSP,
> > there are still more....).
>
> Actually, if I'm reading this right, it's the number of IP hops between
> the sending server and the receiving server -- in other words, how many
> lines you'd see if you were on the receiving server and ran traceroute
> to the sending MTA.

Exactly. It is usually the number of hops a traceroute running on MTA
would show when tracing route to the host from which it is receiving a 
message. (I say usually, because routes can be asymmetric, and we are 
actually observing a remaining TTL field value in the IP packet, taking
into account an educated guess on the initial setting, based on detected
OS type).

Btw, a horizontal spread of 1 unit (in fig1) is an artificial white noise
added to spread numerous dots somewhat for a better view.

I guess we are somewhat lucky seeing a rather clearcut separation of
nearby friendly and distant wild-world hosts, and can use IP distance to 
contribute a little score weight on distant hosts and subtract a little
for nearby hosts.

  Mark

Re: relay distance and spam [was xxxl spam]

Posted by Kelson <ke...@speed.net>.

mouss wrote:
> - multiple "internal" hops at either sender or receiver (I have N Received
> headers added by my own MTA. and for mail fetched from an MSP, there are
> still more....).

Actually, if I'm reading this right, it's the number of IP hops between
the sending server and the receiving server -- in other words, how many
lines you'd see if you were on the receiving server and ran traceroute 
to the sending MTA.

I've rarely seen any messages that passed through more than 5 MTAs --
certainly not enough to account for the graph.  But 10 routers between 
me and the sender?  That doesn't seem unreasonable at all.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>