In message <20041110195606.GB28960@???>, Walt Reed
<exim@???> writes
>On Wed, Nov 10, 2004 at 11:28:37AM -0800, Marilyn Davis said:
>> In any case, does anyone have any clever tricks for watching for
>> user-generated spam? Count how many addresses they send to per 5
>> minutes and if it is high, look into it? I want to get away from
>> spamassassin and such filter tools because I don't want to play the
>> spam-war anymore. I want to win.
>
>Analyze your logs via a cron job. Define a threshold for legit usage,
>and automatically lock any account that exceeds it.
This doesn't work especially well when users legitimately have a high
variability in the amount they send (and the peaks are substantial). At
an ISP it is far from uncommon to see businesses sending out mailshots
to 10K people or more on a semi-regular basis :(
You could of course record the identities of these mailing lists and
then give them a free pass ... but that scales badly and there's a risk
of significantly annoying a good customer when they change the name of
their mailing list and you throw it all on the floor :(
What DOES work is to look at the different properties that spam (and
indeed viruses) have which distinguish it from legitimate mailing lists;
and the most significant such property I have found so far is delivery
failures (viruses guess (often badly) at addresses from what they find
on the machine; and spam uses ancient "million email address" CDs and
dumb web scraping systems; and both are increasingly blocked by the
recipients...).
For more on this idea (and a description of a real live system) see:
http://www.cl.cam.ac.uk/~rnc1/extrusion.pdf
it's real and running ... the haul for November so far (from about 100K
users that access the outgoing mail machine) has been 12 customers
operating open servers (ie: relaying spam), 13 customers infected with a
virus/worm and 11 sending email to themselves in an unintended loop.
These figures compare pretty well with about 40 ongoing incidents per
day when the system first started ... and this wasn't because reports
weren't processed -- but because no-one realised that this activity was
going on :(
It turns out there's lots of spam being sent at quite low volumes (2-3K
per day) that doesn't show up in "top 50" analyses and the average
complaint rate from the recipients is now down below one complaint per
10K items... so you can see how "traditional" methods of control don't
work so well any more :(
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
