IP address reputation, BorderWare
Rick Chadderdon
mailscanner at yeticomputers.com
Fri Mar 23 19:01:32 CET 2007
Chris Yuzik wrote:
> Rick Chadderdon wrote:
>>
>> Which is nearly always the case in a "flood". I don't recall ever
>> seeing a spam flood that consisted of ten thousand different spam
>> messages to the same name. Ten thousand different names on the same
>> domain? All of the time. Even if address reuse in a flood *were*
>> common, your response would only apply if all milters and other methods
>> for doing SAV cached the lookups.
>>
> Rick,
>
> My understanding is that milters like SMF-SAV do cache the lookups. So
> if one of your users gets "joe-jobbed" and a spammer sends 10k
> messages to our server, a server using SAV only check the address
> once, and use that data to deal with the rest of the flood.
My experience with dictionary attacks has been that the forged sender
address changes with the recipient address, so a cache would do almost
nothing to mitigate the problem I refer to. Perhaps someone with some
solid statistics of cache hits for this milter could offer a rebuttal?
I'd like to know how this works in practice, since I only see the bad
effects at my end. The last flood of this type that I experienced as a
joe-job of one of my domains used the same dictionary name before the @
for both sender and receiver, and many of the bogus NDRs I've received
bear this out too. Someone sending to jim at target.com will forge the
sender address as jim at joe-job.com, the next one goes out to
joe at target.com with a forged sender of joe at joe-job.com, etc... Caching
doesn't help here.
Rick
More information about the MailScanner
mailing list