[Mimedefang] Another silly idea
Paul Murphy
pjm at ousekjarr.org
Tue May 2 10:01:29 EDT 2006
> Yes, to a certain degree it will overlap with CBL (one of the lists
> aggregated into XBL). XBL's description says it detects open relays and
> open proxies. My thinking is to try to detect the zombies that are closed
> except to their master (or those renting capacity from the controller).
> Most of them will eventually end up on RBLs once they start sending spam,
> but why wait until then if they propagate the infection first?
You're assuming that the infection is virus based, which is not always the
case - many of these botnets are built based on exploits of known security
flaws which are then used to install bot software.
The first indication you will have of them being controlled is when they
start sending spam, so detecting it as spam and then blackholing the sending
IP address is perhaps your only real defence against future issues.
Question 1: to what extent is your incoming mail volume generated by
external mail servers which either have a matching MX record for the domain,
or have an SPF policy permitting them to send to you? In my case, this
accounts for 99.9% of all legitimate mail.
Question 2: to what extent is your incoming spam volume generated by dynamic
addresses, dial-up systems, broadband hosts, and other end-user systems which
either have their IP address in their hostname (e.g.
220x218x25x21.ap220.ftth.ucom.ne.jp) or which resolve to names which indicate
their dynamic nature (e.g. 53546EC2.cable.casema.nl)? In my case, this is
95% or more of connections which are then rejected due to spam
classification.
Perhaps working on a system to list all valid mail servers would be a better
idea? This way, no end-user system can send e-mail out directly unless they
are registered via a central registry which can then remove them for abuse.
In other words, don't blacklist the temporary addresses which cause problems
for a short period - whitelist those which are well behaved.
Paul.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.5.1/328 - Release Date: 01/05/2006
More information about the MIMEDefang
mailing list