[Mimedefang] Scary... Filtering on the outbound.

John Scully jscullylg3 at lifegiver.net
Thu Feb 17 22:47:49 EST 2005 

Our company, which operates about 250 ISPs just implemented outbound 
filtering for exactly this reason - we are seeing an increasing number of 
subscribers sending spam due to worms.  We have always filtered outbound for 
viruses.

In order to block spam but not block individual messages we began tracking 
total number and average score of messages sent in the last ten minutes, one 
hour, one day and last 30 days.  Since dial-up subs can have a different IP 
address each time they connect we have to start by tracking back to the 
"real" userid from the sending IP address.
A sub could send a few emails scoring anything (could be a personal 
porn-o-gram to someone :) but the higher the number of messages the lower 
the average score can be to trigger blocking.  Rate of transmission also 
weights the decision - sending 100 in a few minutes is treated like sending 
1,000 over a longer time.

We are still playing with the rules, but so far so good.  We no longer get 
reported to spamcop or other block lists, and the only subscribers who have 
had an issue are people who were really spammers - they all claimed that 
they were sending out newsletters until shown the spam reports.

John Scully
www.isupportisp.com

----- Original Message ----- 
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: "MimeDefang" <mimedefang at lists.roaringpenguin.com>
Sent: Thursday, February 17, 2005 12:48 PM
Subject: Re: [Mimedefang] Scary... Filtering on the outbound.


>
> On Wed, 16 Feb 2005, Ben Kamen wrote:
>
> [about outbound filtering]
>
> This is going to become a lot more common for a couple of reasons:
>
> 1) As ISPs block outbound port 25 connections, spam zombies are going
> to use the ISPs relay to send outbound spam.  This will force ISPs
> to filter outgoing mail, or risk getting blocked as spam sources.
>
> 2) All kinds of regulations in the US like HIPAA and financial
> regulations will force businesses to at least pretend to control
> outflowing information.  Unfortunately, doing this effectively means
> prohibiting tools like PGP for encrypted e-mail. :-(
>
> Regards,
>
> David.
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>
> 



This message scanned for viruses by Lifegiver.net
For more information on our filtered email and dial up internet service please visit http://www.lifegiver.net

More information about the MIMEDefang mailing list