IP address reputation, BorderWare

Rick Chadderdon mailscanner at yeticomputers.com
Fri Mar 23 21:16:37 CET 2007

Kevin Miller wrote:
> The question isn't messages *to* the same name.  It's the from address
> that matters here.  SMF-SAV does cache the addresses (both to and from).
> I see plenty of from addresses rejected by a cache hit.

Yes, I realize that I wasn't suitably clear there...  I guess I was
working from the assumption that everyone else had seen the same
behavior I had.  Each new delivery attempt comes with a new forged
sender.  I tried to clarify in my last post.  If you have any statistics
showing the ratio of cache hits to new addresses, at least in your case,
I'd be interested in seeing them.

> I never said anything about what people charge for bandwidth.  

I know.  I didn't think you were going to go metaphysical on me... :)

> OK, I've added a few K of 'background noise'.
> But I've stopped megabytes from being transmitted on the core routers by
> doing so.  That benefits everyone. 

How so?  I get exactly the bandwidth I pay for, no matter who else is
using how much.

> It isn't a last mile benefit,
> directly to you, but the net result is more bandwidth for everybody and
> you get that shared benefit along with everybody else.

This is an imaginary benefit, Kevin, until the pipe is so full that
nobody is able to get what they're paying for.  I don't see that
happening anytime soon because the pipe just keeps getting bigger -
there's plenty of room in it.  I can think of a couple of possible edge
cases where there might be some peripheral benefit to others from
minimizing your own spam bandwidth, but nothing very compelling.

> Bandwidth that isn't used by a spammer is bandwidth that is available
> for your users to use.  No magic there.  Think freeway - would you
> rather drive it under rush hour conditions or 3am conditions?

This is, as always, a poor analogy.  And in this argument, it presumes
that those "rush hour" conditions affect me adversely.  My users get use
of as much bandwidth as I pay for, regardless of who is spamming whom,
or in what volume. 

>> Well, as someone else pointed out, that server will get hassled either
>> way.  Without SAV I'm accepting mail from invalid users.  If someone
>> uses phoney from addresses with your domain, and runs a dictionary
>> attack against me, I'm going to send an NDR back to your server for each
>> address that is invalid on my side.  That will take a lot more server
>> resources and bandwidth on your side than a simple SAV query would have.

Not really.  I reject mail to invalid recipients, so it's pretty much a
wash.  I get the same transaction, either way.  I can control normal
backscatter well enough.

I don't care much for the practice of sending NDRs *after* accepting a
message.  Check your valid users *before* you have to bounce an incoming
message.  Failure to do so is just another way of letting spammers cause
you to use the resources of others.  You sure don't want to be sending
actual NDRs to people who never mailed you.  Let this be handled during
the SMTP transaction, where it belongs.

My point is that I can handle the stuff that happens as a normal part of
running a mail server.  It's deliberate and unwanted use of my resources
that bothers me.  Misconfigured servers bother me.  Bad autoresponders
bother me.  I don't mind so much when it's because someone hasn't
learned better yet, but when it's a considered decision on their part
that my resources are ok to use, whether I like it or not...  That's
when I get grumpy.

>> Personally, I'd rather someone query my server, than send my users NDRs
>> from Joe jobbed spam.  It's a lot less resouce intensive as nearly as I
>> can see..

It seems as though the IT industry is filled with two extremes:  pure
pragmatists and pure idealists.  I'm a weird mix of the two, but when
something goes against one of my 'ideals', I have a hard time looking at
it pragmatically.  As a pragmatist, I'd probably agree that a query is
better than an NDR.  As an idealist, I believe that the majority of NDRs
being sent out are being done by servers configured by people who didn't
know any better, so it's more tolerable than someone who is deliberately
and knowingly hammering on my system to save his own bandwidth.

I know I'm not going to change your behavior, but I hope I've managed to
explain why SAV bothers me.


More information about the MailScanner mailing list