> -----Original Message----- > From: Bob Apthorpe [mailto:[EMAIL PROTECTED] > Sent: Saturday, February 07, 2004 5:02 AM > To: SATalk > Subject: Metric for sending IP "pinkness"? > > > Hi, > > I'm working on a project to combine mail log analysis and SpamAssassin > (spamd) scoring to rank the spamminess of a connecting IP address. I > haven't found any standard metrics so I'm guessing at what might be > useful, such as %spam per unit time {15-minutes, hour, day, week} per > unit network {/32, /28, /24}. > [...]
A bit off-topic, but in the vein of using mail logs ... I was thinking it might be good to monitor outgoing mail addresses as well, on the assumption that your site isn't hosting spammers or spam tool developers (<g>) and that the people listed in the outgoing mail might at a minimum be whitelisted, but certainly those addresses should never be automatically blacklisted. As you mentioned a spam-filter-neutral approach would be too look for dictionary attacks, or for attempted transmissions to users without logins (like adm, games, bin, and accounts which have never been listed on the 'net). This might catch a lot of them. In our cases, before we started blocking them we receieved a lot of mail to these bogus users (which were probably discovered by prior dictionary attacks), so they make a good spam signature. Sender base (http://www.senderbase.org/) which I believe Justin mentioned before looks interesting, can be accessed via DNS to get some interesting statistics about a host. I just couldn't quite figure out what to do with the data. This is a fun little page as well: http://hatcheck.org/blockparade.html. Find your favorite ISP or country and see what percentage of their IP addresses are blocked <g>. One might be able to use this info. to give a weighting in making a blocking decision. It will also give you an idea of which blacklists are more/less aggressive.
