IP address reputation, BorderWare
James Fagan
jfagan at firstlightnetworks.com
Fri Mar 23 18:42:57 CET 2007
>
> Which is nearly always the case in a "flood". I don't recall ever
> seeing a spam flood that consisted of ten thousand different spam
> messages to the same name. Ten thousand different names on the same
> domain? All of the time. Even if address reuse in a flood *were*
> common, your response would only apply if all milters and other
methods
> for doing SAV cached the lookups.
>
Rick,
My understanding is that milters like SMF-SAV do cache the lookups. So
if one of your users gets "joe-jobbed" and a spammer sends 10k messages
to our server, a server using SAV only check the address once, and use
that data to deal with the rest of the flood.
Chris
---------------------------------
SAV does cache and it can be configured. I have mine set to hold the
cache for one week. It does this for senders and recipients.
Has anyone actually lost service (DoS) due to this ?
What are the real costs to other admins other than more log files, and
hating people like me ?
Has anyone actually lost time or money because another server wanted to
verify if a sender actually existed ?
Why is the ability to know if a user account is available on a system
built into many MTA's ?
Is SAV worse than any of the probes and scripted attacks ?
I can see in a way that other systems "should" not interact with a
system that may or not be responsible for a communication, but at some
point there has to be accountability. I think the idea of SPF is good,
but in practice, not so good. Based on some of the strong views
presented here, I think I will extend the cache for SAV to two weeks and
I hope that can take some of the sting out. Besides we are small in
comparison.
James
More information about the MailScanner
mailing list