[Mimedefang] SNARE spam detection

Tilman Schmidt t.schmidt at phoenixsoftware.de
Wed Jul 29 18:50:39 EDT 2009

Kenneth Porter schrieb:
> Just saw this on Slashdot:
> <http://www.technologyreview.com/communications/23086/page1/>

That article is so full of misinformation and patently wrong
statements it's really not worth discussing.

> 2) They look at how many open ports are on the sender. (Few ports
> indicates a bot-controlled zombie spammer.)

The sentence you refer to claims that "Bots [...] tend to keep open
the [SMTP] port" which is absurd. I've yet to find a Spambot that
actually accepts incoming SMTP connections.

> Both operations look potentially expensive,

The article also claims that information "could be gleaned from a
single packet of data" which is equally absurd.

> and port-scanning
> the sender means all our legitimate senders will soon see regular port
> scans.

Well, everybody on the Internet is seeing regular port scans anyway.
The real issue is that users of that wonderful new spam detection
technique will quickly find themselves on those legitimate senders'
IP blacklists, together with all those bots which in their spare
time between distributing spam try a bit of portscanning to
recruit more members for their botnet.


More information about the MIMEDefang mailing list