IP address reputation, BorderWare

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Fri Mar 23 19:01:36 CET 2007


Rick Chadderdon wrote:
> Kevin Miller wrote:
>> Rick Chadderdon wrote:
>> 
>>> Kevin Miller wrote:
>>> 
>>>> If I can spend a nickle to not have to spend a dime it's worth it
>>>> every time... 
>>>> 
>>>> 
>>> The problem comes when you start spending my nickles without asking.
>>> Which is exactly what sender address verification does.
>>> 
>>> Rick
>>> 
>> 
>> It depends on the spam flood.  SMF-SAV caches the lookups, so if the
>> from address is reused on the inbounds, it only has to do a single
>> lookup.  If they use a new from username, then yeah, your server
>> gets pinged multiple times. 
>> 
> 
> Which is nearly always the case in a "flood".  I don't recall ever
> seeing a spam flood that consisted of ten thousand different spam
> messages to the same name.  Ten thousand different names on the same
> domain?  All of the time.  Even if address reuse in a flood *were*
> common, your response would only apply if all milters and other
> methods for doing SAV cached the lookups.

The question isn't messages *to* the same name.  It's the from address
that matters here.  SMF-SAV does cache the addresses (both to and from).
I see plenty of from addresses rejected by a cache hit.


>> But the thing is, if spam is dropped before it is sent, it diminishes
>> "internet background noise".  You benefit from that, along with
>> everybody else.
> 
> No, I don't.  Nobody benefits from the spam you reject other than
> yourself.  And if you reject spam using my resources, you're
> *creating* background noise, at least on my server.  If you are
> suggesting that a cooperative use of this technique by everyone would
> reduce overall Internet bandwidth usage and perhaps lower the prices
> that providers charge for said bandwidth...  Well, that theory would
> take quite a bit of work to support.  A T1 today costs probably an
> eighth or less of what it did when I first had to price one and that
> is not because bandwidth usage has dropped.

I never said anything about what people charge for bandwidth.  The
market can decide that.  My point is, you and I share a pipe.  Or a
'tube' as my illustrious senator would say. <g>  I don't know where
you're located, but mail comes in from all over the world along with web
requests/responses, and all the other stuff that crosses the net.  I'd
hazard a guess that not too infrequently, packets destined for our
respective servers will cross the same core routers.  If I can stop the
transmission of a couple hundred mebabytes of spam to me, it doesn't
cross that core router.  OK, I've added a few K of 'background noise'.
But I've stopped megabytes from being transmitted on the core routers by
doing so.  That benefits everyone.  It isn't a last mile benefit,
directly to you, but the net result is more bandwidth for everybody and
you get that shared benefit along with everybody else.


>> We all pay a little, and receive a greater synergestic common good...
>> 
> 
> Before I'd consider this a valid argument, I'd want to see some
> evidence that the bandwidth you and the spammer save from the use of
> SAV actually contributes *anything* to a 'common good'.  My

Bandwidth that isn't used by a spammer is bandwidth that is available
for your users to use.  No magic there.  Think freeway - would you
rather drive it under rush hour conditions or 3am conditions?

> impression is that it benefits only the user of the technique.  Even
> at that, I'm philosophically opposed to the non-consensual use of the
> resources of others.  I even feel slightly guilty about the use of
> greylisting because I'm asking other servers to make two delivery
> attempts the first time they send mail to a domain I control.  I only
> justify it by remembering that they're initiating the contact.  They
> can choose *not* to resend (and some do) and they can set their
> policies as to whether they want to talk to servers that use
> greylisting.  In the case of SAV, nearly all of the time you're
> harassing a server that never tried to talk to you.

Well, as someone else pointed out, that server will get hassled either
way.  Without SAV I'm accepting mail from invalid users.  If someone
uses phoney from addresses with your domain, and runs a dictionary
attack against me, I'm going to send an NDR back to your server for each
address that is invalid on my side.  That will take a lot more server
resources and bandwidth on your side than a simple SAV query would have.
With SAV, I never accept the message from the original sender, saving
that bandwidth on both the last mile as well as the core routers, and I
never send you an unnecessary NDR saving you server usage, lastmile
bandwidth, and core router usage.

Personally, I'd rather someone query my server, than send my users NDRs
from Joe jobbed spam.  It's a lot less resouce intensive as nearly as I
can see..

...Kevin
-- 
Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500


More information about the MailScanner mailing list