Re: Spam Honeypot

[bill parducci]

as much as i would like to go undercover :o), the problem is that open relays are really a small part of the spam that is sent. true, they represent some of the lower forms of life, but in terms of being an annoyance to end users they are but a fraction of the overall volume. here are some mail stats from one of my servers:

blacklists
----------
ordb.org:          7
njabl.org:         91
spamhaus.org:      22
dsbl.org:          27
bad etiquette
-------------
attempted relays:  2
improper domain:   1
other:             0
                  
summary
-------
total mail:        879
total rejected:    150
percent rejected:  17%

the blacklisting sites are listed in the order that they are consulted by my mail server. note: ordb.org is a pure open relay database.  therefore, out of the 150 e-mail that have been rejected as spam via blacklisting only 7 of them were blocked as a result of being used by a known open relay. also of interest is that even after consulting with the rbl sites (and throwing out 20% of incoming e-mail right off the bat!) i still received another 50 or so spam messages during this period that were caught by an upstream [content based] filter.

open relays are an issue, but a small fish in a big pond (and growing smaller). 

for my money, the best time spent is following the *pattern* based filters and working on ways to share that information amongst others of like interest. a good start would be a site dedicated to the sharing of procmail recipes, beysian formulas, etc.

ok, i think i am up to four cents now. :o)

b

Jerome Lacoste (Frisurf) wrote:
This reminds me of people trying to infiltrate mafia/drug dealers. It
takes years, and they are probably asked to do some bad things before
they are able to catch the big fishes. At least that's what happening in
movies :)
If we try to follow the same principle, some kind of authority should
decide to plant infiltrated open relays. They should act as normal open
relays from a spammer point of view, deliver the emails (even if its not
legal), but giving back important information.
I am sure this has been discussed in other places, I understand the
non-legality, but when you see the number of open relays, one more will
not add too much to the traffic, but if it helps taking legal or
technical action faster against big spammers, that may help.
But accepting to do so raise some interesting philosophical questions. I
wonder how exactly these kind of things happen with other kind of
infiltrations?


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]