[linux-elitists] Spam filters

Matthew Palmer mpalmer at hezmatt.org
Thu Mar 26 22:10:14 PDT 2009


On Thu, Mar 26, 2009 at 05:58:53PM -0700, Don Marti wrote:
> begin Matthew Palmer quotation of Fri, Mar 27, 2009 at 11:19:31AM +1100:
> 
> > The closest to a functioning reputation system we've got appears to be based
> > around IP addresses, which are the best identifier available in the SMTP
> > transaction.  It's still a spectacularly bad one, though, as it doesn't
> > actually identify the originating actor, both through the "owner" of an IP
> > address changing over time, and multiple users sharing an IP address.
> 
> We can use SPF to identify a given IP address as an
> SMTP sender approved by the owner of example.com. Then
> we can use all the reputation around the domain name
> as part of a scoring system.

In the part of my message you chopped, I mentioned that any identity that
can be recreated at-will isn't helpful, since you either start all
identities without any known reputation at "presumed Evil Spammer", in which
case bootstrapping is a killer problem, or else unknown identities get
*some* level of access to your inbox, in which case spammers will just
constantly generate new identities and throw the old ones away.

Yes, you can rate limit from "unknowns", but as the spammers using gmail et
al have shown, with a couple of million throwaway accounts (or domains, in
your reputation model) you can do a lot of damage with one message per
minute.  Hell, with the domain tasting rules currently in effect, a spammer
can even get their throwaway spam domains for free, making it an even
*worse* method of establishing identity.

IP addresses are better identity keys than domains because there's some
degree of scarcity.  A spammer's going to have trouble getting their own /16
(let alone anything bigger) to use, and whois records tie all of the IP
addresses used by a bad actor together if they *do* manage to get a large
enough block to make it worth their while.

I will freely acknowledge that botnets do make the supply of available
addresses astoundingly large (which devalues the IP address as an identity
key still further), but at the end of the day, whether you're getting
spammed because an IP address is allocated to a spammer or someone who can't
secure their windows box (or OpenWRT router, these days) isn't as important
as "it's a spam source, filter it".

Now, if you want to use domain (or IP address) reputation as a (small)
component in your overall spam management strategy, that's a slightly
different proposition, however (a) the original claim wasn't that nuanced,
it was a simple "reputation systems are the FUSSP", and (b) I'd *still*
assert that IP addresses are better than domain names, for all the reasons
above.

If someone can truly solve the e-mail identity problem at an Internet scale,
then I, for one, will be one of the first in line to apply a
reputation-based anti-spam implementation to my mail servers.  I'm not
holding my breath, though (unfortunately).

- Matt


More information about the linux-elitists mailing list