[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Zombie spam

To: Barry Shein <bzs at world.std.com>
Subject: Re: [Asrg] Zombie spam
From: Dave Crocker <dhc at dcrocker.net>
Date: Mon, 19 Jul 2004 23:43:55 -0700
Cc: asrg at ietf.org
In-reply-to: <16636.17452.458248.860890@world.std.com>
List-archive: <http://www1.ietf.org/pipermail/asrg>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Brandenburg InternetWorking
References: <288663fc4c503c44bfa121a48f7bf23740fbc511@polyhedra.com> <1942550291.20040719070740@brandenburg.com> <16636.17452.458248.860890@world.std.com>
Reply-to: Dave Crocker <dcrocker at brandenburg.com>
Sender: asrg-bounces at ietf.org

Barry,

 >> 2. The compromised machine uses their local provider's MTA to do the
 >> cross-next sending. The problem, here, is much more difficult.  How can
 >> the provider know whether the machine is compromised?  What is is doing
 >> that it should not be doing?

BS> Generating complaints (including RBL additions)?

BS> I know, you were asking about something more pro-active, before one
BS> has to respond to complaints etc.

right.  I was asking about "technical" characteristics of zombie traffic
that distinguishes it from "legitimate" traffic.

the instant we start trying to use things like "complaints" we are in
the realm of social assessment, not technical, nevermind the fuzziness
and politics of it.


BS> It might however seem like a good service for someone like the DCC
BS> folks to sell. Pay them to keep your ISP's mail servers in a watch
BS> list so you can be alerted by them when some threshold is exceeded.

I'll guess that 'threshhold' refers to something like amount of traffic
from a particular host, on the theory that greater load means it might
be a zombie.  Of course, the clever spammers control enough machines
that they well might just keep the per-zombie traffic load below that
limit...


BS> It might be difficult to distinguish from forwarding hosts.

Right.  And, alas, this leads us down the path of considering having
forwarding hosts be registered with the ISP.

The part of this that might not be so crazy is that providers often
distinguish charges between low-traffic and high-traffic hosts within
their networks.


BS> Oh let's just admit it, we're seriously f*****d.

I thought we all had already done that.

The challenge, now is to followup up that fact with... hmmm. can't think
of a clever comment that won't get me into all sorts of political
correctness trouble.





d/
--
 Dave Crocker <mailto:dcrocker at brandenburg.com>
 Brandenburg InternetWorking <http://www.brandenburg.com>
 Sunnyvale, CA  USA <tel:+1.408.246.8253>, <fax:+1.866.358.5301>


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

Follow-Ups:
- Re: [Asrg] Zombie spam
  - From: Barry Shein
- Re: [Asrg] Zombie spam
  - From: Chris Lewis

References:
- [Asrg] Zombie spam
  - From: Tim Bedding
- Re: [Asrg] Zombie spam
  - From: Dave Crocker
- Re: [Asrg] Zombie spam
  - From: Barry Shein

Prev by Date: Re: [Asrg] Zombie spam
Next by Date: Re: [Asrg] Zombie spam
Previous by thread: Re: [Asrg] Zombie spam
Next by thread: Re: [Asrg] Zombie spam
Index(es):
- Date
- Thread