You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by David Birnbaum <da...@pins.net> on 2006/12/12 16:39:52 UTC
BOT Army
Greetings,
I was reading the ideas about combating the distributed spam attacks, and I was
wondering if some combination of a razor+distribution analysis of the IP
addresses in the header would lead to a rapid identification of potentially
infected machines.
If you think about the distribution of a normal email users, it's going to look
like a very sparse matrix:
(few IPs per sender domain) -> (few recipients per recipient domain)
A big email ISP might look more like this:
(few IPs per sender domain) -> (many users per many recipient domains)
A spam army, though, is going to end up looking like this:
(many IPs per sender domain) -> (many users at many recipient domains)
If one were to take the first couple of IP addresses in the header, and do DNS
lookups of IP+recipient, the central DNS engines (not sure who or how those
would get hosted) would rapidly be able to see a new machine enter the spam
dominion and could start returning a value based on the distribution of DNS
requests.
My graph theory is rather dusty these days, but if memory serves the
connectedness and sparseness of the graphs is pretty low-overhead to calculate
and maintain, so even at a relatively high load you could quickly start to know
which IP addresses look "different" and thus return a higher score for them.
I don't know if anyone has pursued this type of approach thus far, but I thought
I'd toss it out there and see if it stuck.
Cheers,
David.
Re: BOT Army
Posted by Duncan Hill <sa...@nacnud.force9.co.uk>.
On Tuesday 12 December 2006 15:39, David Birnbaum wrote:
> If you think about the distribution of a normal email users, it's going to
> look like a very sparse matrix:
>
> (few IPs per sender domain) -> (few recipients per recipient domain)
>
> A big email ISP might look more like this:
>
> (few IPs per sender domain) -> (many users per many recipient domains)
>
> A spam army, though, is going to end up looking like this:
>
> (many IPs per sender domain) -> (many users at many recipient domains)
I believe Commtouch/DCC claim to do this.