[Mimedefang] SNARE spam detection
shiva at sewingwitch.com
Wed Jul 29 14:15:56 EDT 2009
Just saw this on Slashdot:
If I understand it correctly, there are two methods they use to identify a
1) They compare the geodesic distance of sender IP address from senders of
previous spam and from the receiver. Spam senders tend to cluster together
and be far from the recipient.
2) They look at how many open ports are on the sender. (Few ports indicates
a bot-controlled zombie spammer.)
I'm wondering how hard it would be to implement this inside MD, perhaps
passing the result as tokens in custom headers to SpamAssassin for scoring.
Both operations look potentially expensive, and port-scanning the sender
means all our legitimate senders will soon see regular port scans.
More information about the MIMEDefang