In message <Pine.LNX.4.60.0505111719270.11785@???>,
Tony Finch <dot@???> writes
>On Wed, 11 May 2005, Chris Edwards wrote:
>
>> For detecting local users sending out spam, the OP might like to check out
>> Richard Clayton's paper:
>> http://www.cl.cam.ac.uk/~rnc1/extrusion.pdf
>> which suggests watching failure rates makes a better metric than simple
>> submission rate.
>
>This is true if you have a very heterogeneous user population, as is the
>case with Demon (where Richard works). I'm expecting this will be less of
>a problem for us, since our user-base is more uniform and we have
>separated message submission for MUAs from outgoing relays for MTAs. We
>will still need to classify senders according to their typical sending
>rate, but this should be fairly manageable.
Hmmm... I think the difference is more the consequences of error.
If someone decides to publicise a conference on the Thursday before
Easter and trips the rate limiter (they usually send 5 emails a day and
are now sending 500) then within a University the academic will moan at
the centrally-based email team and they'll shrug their shoulders;
whereas the same event at an ISP would cause the customer to cancel
their subscription on the Tuesday morning and for the next five years
tell anyone who listened what idiots the ISP were... this is expensive!
Yes there's probably more variation day-to-day at an ISP (and it is not
practical to quiz users about how many machines sit behind their MTA --
though in fact analysing that is part of the heuristics now); but I'm
doubtful that even a University is so uniform that sheer volume is a
sure fire indicator of wickedness
=-=-=-=
Since I'm writing : I can perhaps say something useful about failure
rates, and that is that they're a bit subjective; in that you don't want
to count failures to connect (or those people who think that greylisting
is a cool thing to do), but equally you don't want to wait 10 days
before the system finally gives up.
At Demon there's a transfer onto a fallback system (so as to keep the
main machine queue sizes under control) and that gives a suitable
breakpoint for declaring a "failure" without a great deal of book-
keeping in the log processing programs
- --
richard Richard Clayton
They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. Benjamin Franklin
