Jethro,
> Forgive me, this is my cantankerous day for the week.
Never mind. I have these kind of days as well.
> Ah right. You're not talking about particular known users with a
problem, you are talking about the general case, or the theoretical
problem then?
Imagine we were Yahoo. We're not, but we're let's say something similar.
Don't want to expose more details here. So this means:
- it is part of our business model that we allow people to create an
account without having their data beeing checked by CIA, FBI or any of
such organisations
- we also provide e-mail services to 3rd parties whos networks we don't
control.
Of course we give all that recommendations you mentioned (not saving
passwords, keeping anti-virus software up-to-date, you name it) but we can
do hardly anything more than recomment this. We cannot enforce this.
That's the problem.
> As the esteemed Alan Flavell will point out, dealing with spammer
tactics is an arms race.
Sure.
> Whatever arbitrary limit gets recommended as a
> threshold, the spammers will probably adjust to it in time. Given the
numbers of computers a trojan or worm working under a particular
spamgang's direction can compromise, it actually doesn't need very many
emails over a given amount of time from any particular machine to send a
lot of mail as a whole.
You're right. But here I am concerned mostly with the amount of spam that
gets send over accounts that I am responsible for. If a worm infects
100.000 PCs, two dozends of them being logged into our system, if we limit
the amount of emails that can be sent our share of the problem is very
limited.
> The slower they do it, and to fewer recipients,
> for each machine, the less likely it is you'll spot them. Meanwhile,
adjusting thresholds to try to catch them means inconveniencing more
people as you approach the sorts of numbers and frequencies that typical
email users use.
I'd love to save people the burden to lock their doors when they leave
because it brings all that hassle with looking keys, etc. Unforunately we
haven't managed to create a world where this is possible.
The issue ist just that today it's too easy. You create an account which
takes 2-3 minutes and you have a free ride on our server. This is what we
need to at least significantly limit.
I believe that spammers like to keep it simple as well. A service like
ours is sort of a honeypot to them at this point in time. If we make it
harder for them they will most likely search for other services. At least
this is the hope.
On the other hand if we allow them some dozends of emails before their
account gets closed this will be a bad effort / spam ratio for them. Those
people think along the lines of 100.000 emails in a single campaign.
Regards,
Torsten
> On Wed, 11 May 2005 torsten@??? wrote:
>
>> This is brilliant idea. Do you mind if I pipe our Exim mainlog file to
your terminal so you can spot these users right in time and alert me to
suspend their accounts?
>
> Ah right. You're not talking about particular known users with a
problem, you are talking about the general case, or the theoretical
problem then?
>
>> It basically monitors the log file every five minutes and counts how many
>> emails a user has sent. If this goes over a certain threshold (say 20
emails in a five minute interval) that user will end up a on throttling
list meaning any further emails will be delayed.
> ...
>
> Try searching the archives for "rate limiting" or similar phrases, as
this has been discussed before. (I should do the same, since I have
been pondering a similar question recently).
>
> I'm guessing that spamguard processes the logs of these other MTAs and
keeps a track of sending IPs over time and other data. It shouldn't be
too hard to write it to parse exim mainlog as well. Alternatively,
maybe you could pre-process an exim log file to make it look
substantially (enough) like the format of one of the other programs'
logs.
>
>> If he hits the next threshold the user will get temporarily suspended
and the admin alerted via email to take care. Which usually means: Talk
to the user, find out if this is due a virus infection or if the user
really is a bad guy.
>
> Would the user admit to being a bad guy? Also, educate your users not
to save their password in their mail client, type it in when it starts
up. That will probably alleviate some of the problem.
>
>> The rationale is: A spammer will have a hard time sending more than a
couple of dozends of mails before we will automatically be stopped, and
this without any human intervention.
>>
>> On the other hand, hardly any "normal" user will have to send more then 20
>> mails every five minutes, will he? For mailing lists and special users
there is a whitelist of priviledged accounts which do not fall under
this
>> limits.
>
> What happens when one of those privileged accounts is the one being
compromised/become a bad guy? I can well imagine that more people than
you might imagine like to send a message to a whole bunch of folks.
>
> As the esteemed Alan Flavell will point out, dealing with spammer
tactics is an arms race. Whatever arbitrary limit gets recommended as a
threshold, the spammers will probably adjust to it in time. Given the
numbers of computers a trojan or worm working under a particular
spamgang's direction can compromise, it actually doesn't need very many
emails over a given amount of time from any particular machine to send a
lot of mail as a whole. The slower they do it, and to fewer recipients,
for each machine, the less likely it is you'll spot them. Meanwhile,
adjusting thresholds to try to catch them means inconveniencing more
people as you approach the sorts of numbers and frequencies that typical
email users use.
>
> Not that that means you shouldn't try, though.
>
> You are, of course, virus-checking mail these machines are sending to at
least limit further propagation of nasties by that method?
>
> Forgive me, this is my cantankerous day for the week.
>
> Jethro.
>
> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
> Jethro R Binks
> Computing Officer, IT Services
> University Of Strathclyde, Glasgow, UK
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users ##
Exim details at
http://www.exim.org/
> ## Please use the Wiki with this list - http://www.exim.org/eximwiki/
>
