>>>>> "Bill" == Bill Hacker <wbh@???> writes:
>> It is a _NORMAL_ case for the HELO domain to be different to the
>> domain
Bill> "Not uncommon", yes, Dunno if 'Normal' fits so well w/r MTA's.
Less than 50% of the non-spam mail that comes to our support mailbox
from our customers has a HELO matching the sender envelope domain.
>> If you've never used this method of detecting spam (and it takes
>> a fairly large mail flow into several domains to really do it right)
Bill> The technique you outline should be applicable even on very light
Bill> traffic, from a single active zombie up. One bad-actor at a time.
Bill> While it is not required to e aware that said source is also being
Bill> rude to the neighbors, I suspect they would already be in RBL's.
And how do you think said RBLs could detect them in the first place?
Think about _that_ for a while.
[...]
Bill> Most of the truants abandoned the connection in the first 30-45
Bill> seconds of their *first* jail term, 'didn't last a minute' IOW.
Bill> Well-behaved MTA are more patient than the average spam engine.
I've been using this technique for years; the false positive rate is
worse than you think, if you have mail incoming from many remote
sources and you delay them all. Even with delays applied to only the
most suspicious cases (hosts blacklisted or on DULs, or with generic
rDNS or HELO name), we've had to whitelist some sites.
>> you would not believe how amazingly effective it can be.
Bill> Compare it with the rejectlog from any/all other tools,
Bill> and it should be clear that it is potentially VERY effective.
Bill> However - compare it with the mainlog on the same criteria and
Bill> note that it might be more problematic w/r false-positives than
Bill> other approaches - most of which are simpler / lower
Bill> maintenance.
Well, unfortunately I'm not able to spell out in detail the extent to
which the technique is in use.
Applied to a large mail flow, though, the _measured_ false-positive
rate in terms of IPs is less than 0.2%, and the false-positive rate
in terms of messages is less than 0.1%.
Bill> BTW - 'supernews.net' ?
Bill> Interesting concept, that of charging a subscription fee for
Bill> usenet access.
It surprises you? We've been doing it for ten years; there are parts
of the world in which none of the ISPs have ever heard of Usenet, and
even in the USA there are few ISPs that have an inhouse Usenet service
of usable quality. Even the ISP you use does not:
% host news.adelphia.net.
news.adelphia.net has address 216.196.97.142
% host 216.196.97.142
142.97.196.216.in-addr.arpa domain name pointer news.isp.giganews.com.
Bill> Perhaps someone there would be interested in packaging our Hong
Bill> Kong air and selling it? Thick enough to pass for curry
Bill> powder.... ;-)
I suspect it would not support a multimillion-dollar business (not even
in HK dollars).
--
Andrew, Supernews
http://www.supernews.com
