[Mimedefang] SNARE spam detection
David F. Skoll
dfs at roaringpenguin.com
Wed Jul 29 14:52:48 EDT 2009
Kenneth Porter wrote:
> <http://www.technologyreview.com/communications/23086/page1/>
> 1) They compare the geodesic distance of sender IP address from senders
> of previous spam and from the receiver. Spam senders tend to cluster
> together and be far from the recipient.
> 2) They look at how many open ports are on the sender. (Few ports
> indicates a bot-controlled zombie spammer.)
> I'm wondering how hard it would be to implement this inside MD, perhaps
> passing the result as tokens in custom headers to SpamAssassin for
> scoring.
In CanIt, we use geolocation to determine the country (and city, if
possible) of the sending server using the data from Maxmind. We tokenize
country-codes and city names. However, we don't look at the distance
from the sender to the receiver. It looks like a very interesting idea!
Btw, here are the top-5 spamming cities as reported by our customers:
5. Suwon, Korea
4. Odessa, Ukraine
3. Changchun, China
2. Dong, Vietnam
1. Kazan, Russia
(However, more spam still originates from the United States than from
any other country.)
> Both operations look potentially expensive, and port-scanning
> the sender means all our legitimate senders will soon see regular port
> scans.
Yeah, the port-scanning looks troublesome, especially if you do it in
real-time.
Regards,
David.
More information about the MIMEDefang
mailing list