>>>>> "David" == David Saez Padros <[EMAIL PROTECTED]> writes:
>> Spam is bad because it is the use of other people's resources >> without permission. >> >> Trying to block spam by using other people's resources without >> permission is just as bad as sending spam. David> Does anyone have real statistics about that suposed resource David> abuse ? What sort of statistics do you want? In the best case (when there isn't a specific spammer actively forging just our domain) we see about 100 times as many abusive callouts (ones not in response to mail we sent) as legitimate/excusable callouts (ones caused by mail that actually came from us), and about 10% of our incoming SMTP connections are from blowback sources (callouts, C/R and bounce blowback - we can't reliably distinguish them). In the worst case, we've seen that 10% figure increase to 99.99% (i.e. around 10,000 times as many blowback connections as real mail connections). Averaged over the past couple of years, counting all connections that got as far as RCPT TO, _at least_ 90-95% of connections were caused by blowback (i.e. 10 to 20 blowback connections for every real one). (It's not the average that hurts; it's the peak load.) David> I have never seen in years any of my servers being abused by David> callouts Well, lucky you. Those of us who _have_ seen it obviously have different opinions. David> and we had some email addresses that were spread in millions David> of users around the world and when lots of them get infected David> we get many more bounces that callouts. Callouts, C/R and accept-and-bounce are all variations on a single theme (blowback); to the third-party recipient they are mostly identical (especially when techniques like BATV are used, resulting in all of them being rejected at RCPT time). The recipient can't tell them apart without actually letting in a message body (or by applying external knowledge about the known behaviour of specific servers, such as "if it's from sv*.verizon.net then it must have been a callout"). Nobody thinks that accept-and-bounce is acceptable any more. So why the support for callouts and C/R? Obviously, because the people using them see a benefit to themselves, and are happy to ignore or deny the costs they are imposing on others -- they are parasites just as the spammers are. David> In the case of a server being very busy callouts can be more a David> problem for the server doing them and as they are a David> resource/time expensive thing to do, i supose that almost David> everyone doing callouts are doing them at a last stage in the David> verification process. Optimist. David> On our case only 0.17% of the rejections are due to sender David> verifycation failures and 99.51% of the rejections are due to David> tests done before doing callouts. We do not have statistics on David> accepted mail but as long as we have a whitelist with all David> email addresses that usually send mail to our users for which David> we do not do callouts and also taking in count exim's callout David> cache i really doubt that callouts could be a resource problem David> for other people. Having a whitelist for known _legitimate_ senders does not reduce in any way the number of _abusive_ callouts you do, by definition. The callout cache doesn't help significantly since spammers rarely stick with a single sender address. -- Andrew, Supernews http://www.supernews.com -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
