On Tue, Apr 01, 2003 at 10:47:49PM +0100, Matt Sergeant wrote: > It stops spam. How more utile would you like it? ;-)
It delays spam delivered by one specific vector. My suspicion is that its kill ratio will be moderate and tend to diminish. I'm not saying not to try it -- spam avoidance is all about snagging some percentage of true-positives without spending false-positives to get it, and a one-off denysoft has no false-positive cost (though a slight cost in annoyance). > Have you done testing on this? It seems to me that all my spam is > coming direct to MX via open proxies. Anyone using a static IP is going I'm not even counting open proxies. First, they're easy for the DNSBLs to probe. Second, POST proxying is trivial to filter. CONNECT proxying is harder, but CONNECT-able proxies are rarer, and valuable enough that I doubt you'll see many used only once. Taking those out, you have relayed spam and direct-to-MX spam. First-time denysoft won't do anything about the former. So the kill ratio is entirely a function of the prevalence, address locality and persistence of the latter. Concerning spammer locality, my reasoning is that direct-to-MX spammers are easy to trace, and dependent on acquiring and keeping their connectivity -- either by buying it from negligent ISPs, operating in hospitable countries, or hopping around on fraudulently-purchased dialup accounts. All of those induce some degree of address locality -- possibly little enough that it won't matter, but I suspect you'll see a fair amount of return business from relatively static direct-to-MX spam sources. Time and some logfile analysis will probably tell. > >You could > >improve it some by aging out entries in the table, but at the expense > >of > >ongoing delays in legitimate mail. > > Not really - you just age out all the entries that have only connected > once (or maybe twice). That's a bit of extra work, but not much. Sure, that helps. Actually it's simpler to think of it in terms of connection rate -- if you age out anything that drops below one connect per month, then a hopping direct-to-MX spammer needs to repeat an IP once per month, which in turn is a factor of how big their available IP space is. Bear in mind that this sort of collision will follow the same pattern as the birthday paradox. -- Devin \ aqua(at)devin.com, 1024D/E9ABFCD2; http://www.devin.com Carraway \ IRC: Requiem GCS/CC/L s-:--- !a !tv C++++$ ULB+++$ O+@ P L+++
