Just saw this on Slashdot: <http://www.technologyreview.com/communications/23086/page1/>
If I understand it correctly, there are two methods they use to identify a spamming host:
1) They compare the geodesic distance of sender IP address from senders of previous spam and from the receiver. Spam senders tend to cluster together and be far from the recipient.
2) They look at how many open ports are on the sender. (Few ports indicates a bot-controlled zombie spammer.)
I'm wondering how hard it would be to implement this inside MD, perhaps passing the result as tokens in custom headers to SpamAssassin for scoring. Both operations look potentially expensive, and port-scanning the sender means all our legitimate senders will soon see regular port scans.
_______________________________________________ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
