Outbound filtering (was Re: How to get removed from spamcop?)

["David F. Skoll" <df...@roaringpenguin.com>]

On Mon, 28 Oct 2013 21:42:29 -0400 (EDT)
"John R. Levine" <jo...@iecc.com> wrote:

> But outbound filtering is far more useful when it, you know, actually
> works.

Outbound filtering is far trickier than inbound filtering.  Unless you
really want to annoy your customers, you have to hold suspect mail
(anything scoring let's say 5.0 to 8.0 or so on SpamAssassin's scale)
for review rather than rejecting outright.  Once you start having more
than a few thousand outbound users, you end up spending a lot of time
reviewing suspect mail.

We take another approach and apply per-sender rate-limits.  If a given
sender or IP sends to more than X recipients in a given window of
time, we hold all mail from that sender/IP and alert.  This has
enabled us to catch and shut down several phished accounts over the
last few months.  Rate-limiting also helps if a phished account is
used to blast out large quantities of spam that nevertheless are not
detected as spam by content filtering.

Regards,

David.

Re: Outbound filtering (was Re: How to get removed from spamcop?)

["David F. Skoll" <df...@roaringpenguin.com>]

On 29 Oct 2013 09:45:02 -0700
"Neil Schwartzman" <ne...@cauce.org> wrote:

> the difficulty with a rate-limiting approach is the criminals
> reverse-engineer it pretty quickly, and just spread the joy over
> numerous accounts.

True, though that's quite hard.  Given a user population of 10K users,
it's pretty easy to phish a handful of accounts.  It's a lot harder to
phish say 50 of them, so you can only spread the joy so much.

Additionally, we apply a (higher) rate-limit to our customer's
back-end servers to catch massive spam runs that really do come from
lots of compromised accounts.

> generally speaking, they pretty much trickle spam out over ATOed
> accounts instead of doing it all in one fell (foul?) swoop.

Possibly, but we're not too concerned about that.  If our IPs send a
trickle of spam, we probably won't get blacklisted.  If we start
spewing like a firehose, we need to stop that quickly.

> But yeah, i think John underestimates how difficult it is to do
> outbound filtering for more than a few dozen users who expect their
> mail to be delivered immediately, for some value of immediately. 

Yup.  We still get support tickets from people who send an email, call
the recipient up right away and then wonder why the email hasn't arrived
within 30 seconds. :(

Regards,

David.

Re: Outbound filtering (was Re: How to get removed from spamcop?)

[Neil Schwartzman <ne...@cauce.org>]

On Oct 29, 2013, at 9:31 AM, David F. Skoll <df...@roaringpenguin.com> wrote:

> On Mon, 28 Oct 2013 21:42:29 -0400 (EDT)
> "John R. Levine" <jo...@iecc.com> wrote:
> 
>> But outbound filtering is far more useful when it, you know, actually
>> works.
> 
> Outbound filtering is far trickier than inbound filtering.  Unless you
> really want to annoy your customers, you have to hold suspect mail
> (anything scoring let's say 5.0 to 8.0 or so on SpamAssassin's scale)
> for review rather than rejecting outright.  Once you start having more
> than a few thousand outbound users, you end up spending a lot of time
> reviewing suspect mail.
> 
> We take another approach and apply per-sender rate-limits.  If a given
> sender or IP sends to more than X recipients in a given window of
> time, we hold all mail from that sender/IP and alert.  This has
> enabled us to catch and shut down several phished accounts over the
> last few months.  Rate-limiting also helps if a phished account is
> used to blast out large quantities of spam that nevertheless are not
> detected as spam by content filtering.


Given my experience working as the guy charged with outbound spam at a mjaor freemail provider, i can say this :

the difficulty with a rate-limiting approach is the criminals reverse-engineer it pretty quickly, and just spread the joy over numerous accounts.

generally speaking, they pretty much trickle spam out over ATOed accounts instead of doing it all in one fell (foul?) swoop.

But yeah, i think John underestimates how difficult it is to do outbound filtering for more than a few dozen users who expect their mail to be delivered immediately, for some value of immediately. 

Emailin’ ain’t easy.