At 06:35 AM 10/20/2006, Eugen Leitl wrote:
On Fri, Oct 20, 2006 at 08:24:47AM -0500, J.A. Terranson wrote:
Prior to this "overreaction", I was receiving approximately 25K spam Wow, wonder how you managed to attract that. It's easy to attract a lot of spam - luck of the draw, or having your name widely spread in archives, or having ever provided free email services.
I'm thinking about starting blocking .gif/.jpeg/.png by MTA, [...] Also overkill, but highly effective.
If I ever got fancy I could use greylisting and firewall throttling Greylisting turns out to be a big big win - most zombieware doesn't ever retry, so you lose that spam.
Another popular spammer trick lately has been to hijack unused address space, usually unused small blocks in larger allocations, spamming madly for a few minutes, then dropping the BGP advertisement so nobody can traceroute back, and never reusing addresses so you don't care if it's blacklisted. Greylisting totally protects you from this technique, because a typical half-hour delay means that the spammer's gone, but Alif's techniques are likely to lead to the legitimate space getting blacklisted, while the spammer is living behind some entirely different ISP that openly accepts bogus BGP requests. Another defense against this spammer trick, if you've got a big enough network connection to accept full BGP routes (i.e. you're a medium-large service provider, but not a home system) is to not accept any email from a BGP address block that has existed for fewer than 24 hours or some similar threshold that's long enough to make address thieves go away or get traced, but short enough to not bother legitimate email much ("453 The Wizard Says Go Away and Come Back Tomorrow")
I have literally dozens of /8s on block: All of APNIC, AFRINIC, South America, Israel, Russia and neighboring real estate... You get the idea.
The ISP where I get most of my email lets users pick countries or regions to reject mail from, using lists that are more precise than "burn the /8". I decided a few years ago to reject all mail from China, Korea, Brazil, and Argentina, and that cut out more than half my spam load, and I didn't know anybody from those countries; I'll accept mail from Japan and Israel but it gets extra filtering, since I do know some people there but it's mostly spam (unfortunately, they don't have an option to filter by character set; anything in alphabets I don't read is highly likely to be spam, though at work I do get email in mixed English and Japanese or Chinese...)
... I would call it the "nuclear glass approach" to spam. If this works for you, great, but I don't know too many people who'd subscribe to your approach (to which RBL hardcore nazis look like teletubbies).
A _real_ nuclear glass approach would be to start advertising BGP routes for the addresses that spam you, which would drop them off the net for anybody who's within a few hops of you, and wouldn't even give you much extra network traffic, because it would kill the TCP handshake responses from any new email sessions. I work at a Tier 1 ISP, which would mean that it would be blocked from most of the US, and somebody with a LINX account could do the same for half of Europe, but fortunately they don't give me the keys on days that the spammers have been makin' the ganglia twitch... and you could accomplish the same thing non-destructively with a block-list if enough people trusted your service. In reality a legitimate ISP would never do this or permit their users to do it, because it could not only cause chaos for the entire Internet, but it would trivially blow through the route-cached capacity of most of the routers on the Internet. There was an event a decade or so ago when some small ISP announced that their T1 line was the best route to reach everything at Sprint or MAE-West or something, so about 1/3 of the traffic on the Internet was trying to get through there before the line smoked, and most ISPs put in a lot of route protection then. The address-space hijackers shouldn't be able to do it either, but there are enough ISPs that are sloppy about managing route advertisements that they get away with it.