Hello Markus,
Thursday, April 19, 2007, 7:55:59 AM, you wrote:
|
> |
Hi Bonno
tin.it is one of Italians largest ISP's and the (not new) problem is that many blacklists does catch a RELATIVE high number of spam messages COMPARED to the number of legit messages simply because the traps measuring this traffic are located elsewhere then Italy or Europe. There are certainly spam messages delivered trough this tin-servers (I believe vsmtp21 is one of around at least 64 machines in this cluster) but from what I can see on my servers (located in the north of Italy and processing mostly central-european traffic) there are less then 1% of spam messages comming from tin-servers. |
If I may, this is something else that the new GBUdb engine is designed to mitigate.
It may be that less than 1% of messages coming from these servers are spam from the perspective of a system that regularly receive legitimate messages from them.
Other systems that virtually (or actually) never receive legitimate messages from these servers would "see" a very high rate of spam from these servers.
GBUdb learns first from local activity, then shares what it knows with the cloud. So, on one system the reputation of these IPs might be very good, and on other systems the reputation might be very bad -- each system will respond according to it's own environment.
If system A regularly sees spam from a given IP and almost never sees a legitimate message, then that system might* locally black-list that IP. If system B regularly receives legitimate messages from the IP then that system might* locally white-list that IP. System C which sees a mix of traffic from the IP would tend to remain undecided about the IP and would rely solely on the pattern matching system.
*If either system sees an inconclusive rate of messages of either type it would tend to remain undecided on the IP and might even forget all about it for great lengths of time. The emergent intelligence in the cloud, however, would keep track of the IP because many other systems would be "talking about it" frequently. If the IP belongs to an ISP that really does produce primarily legitimate messages then the cloud would "feel good" about the IP.
In that case we would also see scenarios like this: System D sees traffic from the IP only infrequently and often forgets all about it. One day it receives a group of messages from this IP and asks the cloud what it "feels" about it. The cloud would report that the IP is probably a good source. For the moment, System D would be biased in that direction - but it would continue to evaluate the messages it is receiving and report what it learns. If it sees a lot of spam then it will decide that the IP is not a good source and will act accordingly. If it sees primarily legitimate messages then it will decide that the IP is good. If it sees a mix then it most likely will decide not to decide.
_M
--
Pete McNeil
Chief Scientist,
Arm Research Labs, LLC.
############################################################# This message is sent to you because you are subscribed to the mailing list <[email protected]>. To unsubscribe, E-mail to: <[EMAIL PROTECTED]> To switch to the DIGEST mode, E-mail to <[EMAIL PROTECTED]> To switch to the INDEX mode, E-mail to <[EMAIL PROTECTED]> Send administrative queries to <[EMAIL PROTECTED]>
