John Rudd wrote: > Except that the more they flex their zombies, the more attention it > draws to the zombie's real owner that something is wrong with their > computer and needs to be fixed.
Uh..... The zombie's real owner is most likely an unsophisticated Windows user who wouldn't have a clue that anything's wrong. They just consider it normal that their machine gets slower and slower as time goes by until the next "scheduled" wipe-and-reinstall. :-) > Plus, a huge percentage of the machines that show up in my logs for "got > whacked by greet_pause" are the very sorts of dynamic addresses you'd > expect to see with a zombie ... not the unsophisticated channels you > mention. I agree. > If the sophisticated spammers aren't vulnerable to things like > greet_pause, why are they still getting caught by the greet_pause? Well, there are varying degrees of sophistication. However, the general trend for malware is for it to move towards greater and greater sophistication. I look at the problem the way a cryptographer looks at cryptography: You can't really trust a cryptographic algorithm until it can withstand an attack involving arbitrary amounts of chosen plaintext. So I look for anti-spam technology that's effective even in the face of sophisticated attackers. I'm not saying greet_pause or greylisting are useless... you might as well keep using them to get the low-hanging fruit. But I predict they will become less useful in future. > Last, I don't worry about them hitting my machines with 10's or 100's of > connections per zombie (parallelizing their attempts within a given > zombie). For non-trusted mail relays, I limit the number of connections > to 2. Right, the parallelization I mentioned is against multiple targets also. Let's say a spammer needs to send 1,000,000 e-mails to people in 1,000 domains, and the largest domain contains 5,000 victims. If *each* domain's MX machine limits the spammer to sending one e-mail every 10 seconds, he can still send all 1,000,000 e-mails in around 14 hours, or at an effective rate of 20 messages/second. Regards, David. _______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
