Re: Spam, ASNs, CIDRs, and d-u
Web Server forum
Back To The Forum Home!Search!Private Messaging System
Visit your User Control Panel!Register your FREE username now!Visit Our Calendar!View the Member List!Faqs!Search our Forums!

Web Server Talk Web Server Talk > Unix and Linux reviews > Free Debian support > Debian Developers > Re: Spam, ASNs, CIDRs, and d-u




  Last Thread   Next Thread Next
  Show Printable Version Email this Page Subscribe to this Thread      Post New Thread    Post A Reply      

    Re: Spam, ASNs, CIDRs, and d-u  
Karsten M. Self


View Ip Address Report This Message To A Moderator Edit/Delete Message


 
09-29-04 08:09 AM

on Tue, Sep 28, 2004 at 10:00:29PM +0200, Marco d'Itri (md@Linux.IT) wrote:
> On Sep 28, Florian Weimer <fw@deneb.enyo.de> wrote:
>  
> This is not really a plausible threat model.
> And as you noticed, by-ASN blocking is very resource-intensive.

Bullshit.

- You identify ASNs contributing significant quantities of spam.  This
can be done through a small number of spamtrap addresses (which may
or may not be single-use addresses).  These stats are updated
independently of incoming mail on an hourly, daily, weekly,
fortnightly, monthly, or blue-moonly basis.

- You query the ASN to find its associated CIDR ranges.  This can be
done through several network sources.  Since the major (say, top
four) ASN spam sources change little month-to-month, and since there
are so few who contribute so majorly to spam, this is a minor task
even if manually completed, and it can almost certainly be
automated.

- You have a set of rules based on IP ranges (CIDRs advertised for the
ASN) which you feed to your antispam defenses.  These may be
firewall rules, SMTP rules, or content-filtering rules.  It is *NOT*
necessary to perform the DNS query for each incoming email, though
you may of course do so if you choose.

While I'm a fan of content-based filtering (e.g.:  SpamAssassin,
Bayesian filters), I have to admit that they scale somewhat poorly on
large sites (though networked operation on a round-robin cluster might
be an improvement).  By skimming off a large volume (25 - 50%) of spam
straight off the top, you're reducing your filtering load
commensurately.

Details on how one large US academic site gets very effective spam
filtering (95%+ from what I can tell) are in the following presentation.
The author's website has several other interesting articles and
presentations:

http://darkwing.uoregon.edu/~joe/ic...resentation.pdf
http://darkwing.uoregon.edu/~joe/



More to the point, Marco's missed the concept entirely that ASN & CIDR
provide _data_ on _where_ spam is coming from, which can be used to tune
processes appropriately.


> I suggest the author of the original statistics to also try classifying
> the spam by announced network prefix, which I believe will show more
> interesting aggregation properties.

I've demonstrated how to do this:  my method offers you *both* options.
CIDR and ASN are included in the same DNS query.


Peace.

-- 
Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Save Bob Edwards!       http://www.savebobedwards.com/




[ Post a follow-up to this message ]



    Sponsored Links  




 



   All times are GMT. The time now is 12:11 PM.      Post New Thread    Post A Reply      
  Last Thread   Next Thread Next


Most Popular forums 
Apache Server MySQL for Windows Sendmail
Red Hat Networking SuSe Linux Debian Linux
FreeBSD administration Sun Solaris administration Unix Shell programming
WebSphere Portal Server Exchange 2000 administration PostgreSQL administration
Linux Security Computer Security Firewalls

Forum Jump:
Rate This Thread:

Forum Rules:
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts 		HTML code is OFF
vB code is ON
Smilies are ON
[IMG] code is OFF
 
Medical and Health forum | Computer Games Reviews | Graphics design forum

Back To The Top
Home | Usercp | Faq | Register