[lug] Stopping the New Generation of Spam

[Ken MacFerrin]

Daniel Webb wrote:
> On Mon, Dec 04, 2006 at 04:38:11PM -0700, Daniel Webb wrote:
> 
>> But assuming the SMTP server isn't totally broken, the sender's mail server
>> will send them a bounce message letting the sender know that the message
>> didn't go through, right?  The ones that scare me are the "silent" ones where
>> the sender sends the email, SpamAssasin tags it spam and I delete it without
>> looking at it.  The sender has no way to know that their message was deleted
>> as spam.  With greylisting, they should get a bounce so that they can contact
>> you another way.  Same if you move all spam filtering to SMTP-time: the sender
>> always knows if their message was not delivered.  I like that property a lot.
> 
> [replying to myself again]
> 
> But on the negative side, I can imagine that any kind of trained filter can
> not be used at SMTP-time because the spammers will have a nice fast feedback
> loop to poison the filters or avoid them.  I think you could only use the
> content-neutral techniques at SMTP-time, like DNS blacklists, HELO checks, and
> greylisting.
> 

Theoretically you're correct, but in the "real world" SMTP-time
filtering works fairly well because your average spammer is spewing this
stuff as quickly as possible using zombie machines, open relays and
temporary servers connected through dishonest ISPs.  It would be unusual
for one to spend the effort to specifically try to "traffic shape" their
spam just to beat your specific filter..  additionally, most the return
addresses are invalid or joe-jobbed anyway so they don't even see the
responses.

The real drawback to SMTP-time filtering is the increased exposure for a
denial of service attack.  Each smtp session remains open until the
filter makes a decision so a DOS on your SMTP service (or even the
server itself depending on your limit settings) becomes much easier.

-Ken