[Mimedefang] Image blocking idea

David F. Skoll dfs at roaringpenguin.com
Thu Apr 20 16:30:48 EDT 2006 

John Rudd wrote:

> Except that the more they flex their zombies, the more attention it
> draws to the zombie's real owner that something is wrong with their
> computer and needs to be fixed.

Uh.....

The zombie's real owner is most likely an unsophisticated Windows user
who wouldn't have a clue that anything's wrong.  They just consider it normal
that their machine gets slower and slower as time goes by until the next
"scheduled" wipe-and-reinstall. :-)

> Plus, a huge percentage of the machines that show up in my logs for "got
> whacked by greet_pause" are the very sorts of dynamic addresses you'd
> expect to see with a zombie ... not the unsophisticated channels you
> mention.

I agree.

> If the sophisticated spammers aren't vulnerable to things like
> greet_pause, why are they still getting caught by the greet_pause?

Well, there are varying degrees of sophistication.  However, the
general trend for malware is for it to move towards greater and
greater sophistication.

I look at the problem the way a cryptographer looks at cryptography:
You can't really trust a cryptographic algorithm until it can withstand
an attack involving arbitrary amounts of chosen plaintext.  So I look for
anti-spam technology that's effective even in the face of sophisticated
attackers.

I'm not saying greet_pause or greylisting are useless... you might as well
keep using them to get the low-hanging fruit.  But I predict they will
become less useful in future.

> Last, I don't worry about them hitting my machines with 10's or 100's of
> connections per zombie (parallelizing their attempts within a given
> zombie).  For non-trusted mail relays, I limit the number of connections
> to 2.

Right, the parallelization I mentioned is against multiple targets
also.  Let's say a spammer needs to send 1,000,000 e-mails to people
in 1,000 domains, and the largest domain contains 5,000 victims.  If
*each* domain's MX machine limits the spammer to sending one e-mail
every 10 seconds, he can still send all 1,000,000 e-mails in around 14
hours, or at an effective rate of 20 messages/second.

Regards,

David.

More information about the MIMEDefang mailing list