[Mimedefang] Image blocking idea
David F. Skoll
dfs at roaringpenguin.com
Thu Apr 20 16:30:48 EDT 2006
John Rudd wrote:
> Except that the more they flex their zombies, the more attention it
> draws to the zombie's real owner that something is wrong with their
> computer and needs to be fixed.
The zombie's real owner is most likely an unsophisticated Windows user
who wouldn't have a clue that anything's wrong. They just consider it normal
that their machine gets slower and slower as time goes by until the next
"scheduled" wipe-and-reinstall. :-)
> Plus, a huge percentage of the machines that show up in my logs for "got
> whacked by greet_pause" are the very sorts of dynamic addresses you'd
> expect to see with a zombie ... not the unsophisticated channels you
> If the sophisticated spammers aren't vulnerable to things like
> greet_pause, why are they still getting caught by the greet_pause?
Well, there are varying degrees of sophistication. However, the
general trend for malware is for it to move towards greater and
I look at the problem the way a cryptographer looks at cryptography:
You can't really trust a cryptographic algorithm until it can withstand
an attack involving arbitrary amounts of chosen plaintext. So I look for
anti-spam technology that's effective even in the face of sophisticated
I'm not saying greet_pause or greylisting are useless... you might as well
keep using them to get the low-hanging fruit. But I predict they will
become less useful in future.
> Last, I don't worry about them hitting my machines with 10's or 100's of
> connections per zombie (parallelizing their attempts within a given
> zombie). For non-trusted mail relays, I limit the number of connections
> to 2.
Right, the parallelization I mentioned is against multiple targets
also. Let's say a spammer needs to send 1,000,000 e-mails to people
in 1,000 domains, and the largest domain contains 5,000 victims. If
*each* domain's MX machine limits the spammer to sending one e-mail
every 10 seconds, he can still send all 1,000,000 e-mails in around 14
hours, or at an effective rate of 20 messages/second.
More information about the MIMEDefang