Re: [exim] UCEPROTECT Blacklists and why callouts are abusiv…

Top Pagina
Delete this message
Reply to this message
Auteur: Andrew - Supernews
Datum:  
Aan: exim users
Onderwerp: Re: [exim] UCEPROTECT Blacklists and why callouts are abusive
>>>>> "David" == David Saez Padros <david@???> writes:

>> Spam is bad because it is the use of other people's resources
>> without permission.
>>
>> Trying to block spam by using other people's resources without
>> permission is just as bad as sending spam.


David> Does anyone have real statistics about that suposed resource
David> abuse ?

What sort of statistics do you want?

In the best case (when there isn't a specific spammer actively forging
just our domain) we see about 100 times as many abusive callouts (ones
not in response to mail we sent) as legitimate/excusable callouts
(ones caused by mail that actually came from us), and about 10% of our
incoming SMTP connections are from blowback sources (callouts, C/R and
bounce blowback - we can't reliably distinguish them). In the worst
case, we've seen that 10% figure increase to 99.99% (i.e. around
10,000 times as many blowback connections as real mail connections).

Averaged over the past couple of years, counting all connections that
got as far as RCPT TO, _at least_ 90-95% of connections were caused by
blowback (i.e. 10 to 20 blowback connections for every real one).

(It's not the average that hurts; it's the peak load.)

David> I have never seen in years any of my servers being abused by
David> callouts

Well, lucky you. Those of us who _have_ seen it obviously have
different opinions.

David> and we had some email addresses that were spread in millions
David> of users around the world and when lots of them get infected
David> we get many more bounces that callouts.

Callouts, C/R and accept-and-bounce are all variations on a single
theme (blowback); to the third-party recipient they are mostly
identical (especially when techniques like BATV are used, resulting in
all of them being rejected at RCPT time). The recipient can't tell
them apart without actually letting in a message body (or by applying
external knowledge about the known behaviour of specific servers, such
as "if it's from sv*.verizon.net then it must have been a callout").

Nobody thinks that accept-and-bounce is acceptable any more. So why
the support for callouts and C/R? Obviously, because the people using
them see a benefit to themselves, and are happy to ignore or deny the
costs they are imposing on others -- they are parasites just as the
spammers are.

David> In the case of a server being very busy callouts can be more a
David> problem for the server doing them and as they are a
David> resource/time expensive thing to do, i supose that almost
David> everyone doing callouts are doing them at a last stage in the
David> verification process.

Optimist.

David> On our case only 0.17% of the rejections are due to sender
David> verifycation failures and 99.51% of the rejections are due to
David> tests done before doing callouts. We do not have statistics on
David> accepted mail but as long as we have a whitelist with all
David> email addresses that usually send mail to our users for which
David> we do not do callouts and also taking in count exim's callout
David> cache i really doubt that callouts could be a resource problem
David> for other people.

Having a whitelist for known _legitimate_ senders does not reduce in
any way the number of _abusive_ callouts you do, by definition.

The callout cache doesn't help significantly since spammers rarely
stick with a single sender address.

--
Andrew, Supernews
http://www.supernews.com