[Mimedefang] SNARE spam detection

David F. Skoll dfs at roaringpenguin.com
Wed Jul 29 14:52:48 EDT 2009

Kenneth Porter wrote:

> <http://www.technologyreview.com/communications/23086/page1/>

> 1) They compare the geodesic distance of sender IP address from senders
> of previous spam and from the receiver. Spam senders tend to cluster
> together and be far from the recipient.

> 2) They look at how many open ports are on the sender. (Few ports
> indicates a bot-controlled zombie spammer.)

> I'm wondering how hard it would be to implement this inside MD, perhaps
> passing the result as tokens in custom headers to SpamAssassin for
> scoring.

In CanIt, we use geolocation to determine the country (and city, if
possible) of the sending server using the data from Maxmind.  We tokenize
country-codes and city names.  However, we don't look at the distance
from the sender to the receiver.  It looks like a very interesting idea!

Btw, here are the top-5 spamming cities as reported by our customers:

5. Suwon, Korea
4. Odessa, Ukraine
3. Changchun, China
2. Dong, Vietnam
1. Kazan, Russia

(However, more spam still originates from the United States than from
any other country.)

> Both operations look potentially expensive, and port-scanning
> the sender means all our legitimate senders will soon see regular port
> scans.

Yeah, the port-scanning looks troublesome, especially if you do it in



More information about the MIMEDefang mailing list