on 1/9/09 10:42 PM, Yves Dorfsman said: > It sounds like greylisting and public black lists are what you are looking > for. Both are cheap as far as CPU goes. However they both have side-effects:
At LISA'07, Chris led an anti-spam workshop. One thing we learned is that fighting spam is a very individual process, and what works well for one site may not work at all for another. That said, there were some overall large-scale trends that did seem to be common amongst the attendees. One such trend was that greylisting had become much less useful for most of the sites, and of course has a non-zero cost -- there's a significant number of sites you have to whitelist past the greylisting, because the same mail server never touches the same message twice. I've configured the servers for ntp.org and python.org to use greylisting, and it does help a little. But only a little, and in the fairly near future I think we're going to reach a point where the cost simply is not justified. I've also found that there is an inverse relationship between the reliability of a black list and the amount of addresses it covers. The better quality black lists just don't cover that much. Sure, the reason they work as well as they do is that there are certain classes of spammers that consistently use the same addresses over and over again, but there's an increasing number of spammers that get around the blacklists. What's needed is defense in depth. Use each technique for the portion of the problem space that it's good for, and don't try to stretch it beyond where it works well. Blacklists and greylisting are just two of the tools in the bag, and there are plenty of other tools you also need to be using. Reputation systems like SenderBase are another excellent tool to consider, but I also like less conventional tools like p0f, where you can do a passive OS fingerprint of every incoming connection, and decide whether or not you want to accept a connection or score a connection as more likely to be spam, if you don't like the OS of the sender. Since most botnets are comprised of PCs running Windows, and so far as I know they do not currently make use of any methods to obscure the OS of the sender, that would be an obvious win. The rule used to be that you used expensive rules-based or learning systems (like Bayesian classifiers) after accepting the message, because the work of trying to do that while the sender was held open was just too much. I think those days are behind us, and now you're better off using tools like milter-spamd to run those processes interactively before you make the decision to accept the message. All of these techniques (and many more) can be implemented with relatively simple milters, and milters work with both sendmail and postfix. -- Brad Knowles <[email protected]> If you like Jazz/R&B guitar, check out LinkedIn Profile: my friend bigsbytracks on YouTube at <http://tinyurl.com/y8kpxu> http://preview.tinyurl.com/bigsbytracks _______________________________________________ Discuss mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/discuss This list provided by the League of Professional System Administrators http://lopsa.org/
