[lug] Stopping the New Generation of Spam

[Daniel Webb]

On Mon, Dec 04, 2006 at 11:43:22PM -0700, Ken MacFerrin wrote:

> Theoretically you're correct, but in the "real world" SMTP-time
> filtering works fairly well because your average spammer is spewing this
> stuff as quickly as possible using zombie machines, open relays and
> temporary servers connected through dishonest ISPs.  It would be unusual
> for one to spend the effort to specifically try to "traffic shape" their
> spam just to beat your specific filter..  

Yes, that's true.  As long as a majority of servers aren't doing this they
won't bother.  I'll bet they would if their delivery and conversion rates
start dropping though.  They seem to be adapting as greylisting becomes more
prevalent (although that may just be me, I don't know if that experience is
universal).  They are going to lengths now that I doubt many would have
expected a few years ago, like poisoning Bayesian filters and running zombie
nets of Windows machines because the blacklists were hurting them.

> additionally, most the return addresses are invalid or joe-jobbed anyway so
> they don't even see the responses.

Been a while since I played at the SMTP level, but couldn't they do this even
with a false return address?  The error is during the SMTP session itself so
the sending server decides what to do with it.  I'll bet I could whip up
something in Python that would close the feedback loop and bypass filters in a
few weeks.
 
> The real drawback to SMTP-time filtering is the increased exposure for a
> denial of service attack.  Each smtp session remains open until the filter
> makes a decision so a DOS on your SMTP service (or even the server itself
> depending on your limit settings) becomes much easier.

That makes sense, although it's not an issue for me.  I'll have to look into
doing this.  It would basically whack my spam to zero without worrying about
silent false positives.