[Mimedefang] SNARE spam detection

Kenneth Porter shiva at sewingwitch.com
Wed Jul 29 14:15:56 EDT 2009

Just saw this on Slashdot:


If I understand it correctly, there are two methods they use to identify a 
spamming host:

1) They compare the geodesic distance of sender IP address from senders of 
previous spam and from the receiver. Spam senders tend to cluster together 
and be far from the recipient.

2) They look at how many open ports are on the sender. (Few ports indicates 
a bot-controlled zombie spammer.)

I'm wondering how hard it would be to implement this inside MD, perhaps 
passing the result as tokens in custom headers to SpamAssassin for scoring. 
Both operations look potentially expensive, and port-scanning the sender 
means all our legitimate senders will soon see regular port scans.

More information about the MIMEDefang mailing list