On September 6, 2006 5:43:43 PM EDT, Christopher Bort wrote:
Of course. I think you may misunderstand spamtraps somewhat. They
operate
only on a per connection basis. If a message in a given (single) SMTP
session has multiple RCPT addresses and one or more of those
recipients is
a spamtrap address, then SIMS will reject the message for all of that
message's recipients. SIMS does not keep track of IP addresses that
send
messages to spamtraps so it does not blacklist IP addresses on the
basis
that messages addressed to spamtraps have previously come from
them. This
is almost certainly a good thing, as blacklisting IP addresses
based on
their sending to spamtraps would be a potential source of false
positives.
...
Generating temporary blacklistings based on sending to unknown
addresses is
different than doing so for sending to spamtrap addresses.
Tempbanning for
sending to too many unknown addresses is intended to stop spammers
from
tieing up your resources with dictionary harvesting attacks. Most
installations won't have very many spamtrap addresses, so spammers
aren't
likely to inundate you with messages addressed to them (at least
not like a
dictionary attack will). Dictionary attacks are a potential DoS
threat,
spamtraps generally are not.
I think I actually do understand spamtraps.
By design, a spamtrap address is a fake address that is released into
the wild in places where only spammers will find them - invisibly
coded into web pages, for instance. As such, no legitimate email
should ever be addressed to one of these secret spamtrap addresses
and one can therefore be secure that such an email is from a spammer.
This, in my view, is a very sound rationale for blacklisting an IP
and is, in fact, used by a number of reputable RBLs. Accordingly, I
do not see the basis for your contention that doing so "would be a
potential source of false positives". Indeed, tempbanning by unknown
addresses, which you do approve of, is far more likely to lead to
false positives — unknown addresses are easily and often caused by
innocent typos.
As it happens, the SIMS philosophy is, as well, not exactly as you
thought (and if I read more carefully, I would have known this a few
days ago). The following is from the same message from SIMS support I
excerpted a few days ago:
The parameters for temporary black listing are controlled by 'IPLL'
#128 and #129 resources in SIMS 1.8b8.
#128 configures TTL and up to four 'counters' - only the first two
are used now. The first one specify how many address failures
(unknown address) should occur for host to get onto a temp black
list, the second one - how many spamtarp hits. Note that an SMTP
session is not marked as blacklisted immediately if the host is
'temp banned' due to spamtraps.
#129 specify TTL for the 'temp banned' list.
It looks like the third counter is also used in the final release.
All of the counters are defaulted at 5. I have lowered my tolerance
for spamtrap addresses to 2, and I am considering going to 1. The
potential of banning a legitimate mailserver seems very low. Even if
it does happen on a rare occasion, the consequence of that false
positive - a short ban - seems pretty innocuous.
#############################################################
This message is sent to you because you are subscribed to
the mailing list <[email protected]>.
To unsubscribe, E-mail to: <[EMAIL PROTECTED]>
To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]>
To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]>
Send administrative queries to <[EMAIL PROTECTED]>
