IP address reputation, BorderWare

Kevin Miller Kevin_Miller at ci.juneau.ak.us
Fri Mar 23 23:27:03 CET 2007

Rick Chadderdon wrote:
> Kevin Miller wrote:

> Yes, I realize that I wasn't suitably clear there...  I guess I was
> working from the assumption that everyone else had seen the same
> behavior I had.  Each new delivery attempt comes with a new forged
> sender.  I tried to clarify in my last post.  If you have any
> statistics showing the ratio of cache hits to new addresses, at least
> in your case, I'd be interested in seeing them.

Between 7 am yesterday and 7 am today I got the following results:

Sender 1st time fails:	 4697
Sender cache fails:	  547
Total Sender fails:	 5244

Recipient 1st time fail: 2355
Recipient cache fails:	  766
Total Recipient fails:	 3121

I rejected 1735 due to greet-pause.  Those are dropped before SAV is

Not overwhelming cache hits, but somewhere around 10% for the sender

I usually accept around 5000 messages a day.  Considering that I'm doing
200 megs a day, give or take, imagine the amount of bandwidth someone
moving 500,000 messages a day generates.  What's that 200,000 megs?

I whole heartedly agree I should be doing recipient checks first - it
will be interesting to see where the numbers fall when that change is
>> I never said anything about what people charge for bandwidth.
> I know.  I didn't think you were going to go metaphysical on me... :)
>> OK, I've added a few K of 'background noise'.
>> But I've stopped megabytes from being transmitted on the core
>> routers by doing so.  That benefits everyone.
> How so?  I get exactly the bandwidth I pay for, no matter who else is
> using how much.

Yes, but only for the last mile.  

>> It isn't a last mile benefit,
>> directly to you, but the net result is more bandwidth for everybody
>> and you get that shared benefit along with everybody else.
> This is an imaginary benefit, Kevin, until the pipe is so full that
> nobody is able to get what they're paying for.  I don't see that
> happening anytime soon because the pipe just keeps getting bigger -
> there's plenty of room in it.  I can think of a couple of possible
> edge cases where there might be some peripheral benefit to others from
> minimizing your own spam bandwidth, but nothing very compelling.

The pipe does just keep getting bigger, but it wouldn't have to if more
spam was stopped before it's sent.  In a very real sense, by accepting
spam I'm passing on the cost of bigger pipes to someone else.  They have
to keep adding bigger pipes so we don't max it out in order to
accommodate that 200,000 megs mentioned above.  

>> Bandwidth that isn't used by a spammer is bandwidth that is available
>> for your users to use.  No magic there.  Think freeway - would you
>> rather drive it under rush hour conditions or 3am conditions?
> This is, as always, a poor analogy.  And in this argument, it presumes
> that those "rush hour" conditions affect me adversely.  My users get
> use of as much bandwidth as I pay for, regardless of who is spamming
> whom, or in what volume.

No, because your users aren't constrained to just your network.  Once
you leave your local ISP you're riding someone else's lightning.  But I
guess we'll have to agree to disagree on this one. 
>>> Well, as someone else pointed out, that server will get hassled
>>> either way.  Without SAV I'm accepting mail from invalid users.  If
>>> someone uses phoney from addresses with your domain, and runs a
>>> dictionary attack against me, I'm going to send an NDR back to your
>>> server for each address that is invalid on my side.  That will take
>>> a lot more server resources and bandwidth on your side than a
>>> simple SAV query would have. 
> Not really.  I reject mail to invalid recipients, so it's pretty much
> a wash.  I get the same transaction, either way.  I can control normal
> backscatter well enough.

OK, I see what you mean there.

> I don't care much for the practice of sending NDRs *after* accepting a
> message.  Check your valid users *before* you have to bounce an
> incoming message.  Failure to do so is just another way of letting
> spammers cause you to use the resources of others.  You sure don't
> want to be sending actual NDRs to people who never mailed you.  Let
> this be handled during the SMTP transaction, where it belongs.

We're in absolute agreement there.

> My point is that I can handle the stuff that happens as a normal part
> of running a mail server.  It's deliberate and unwanted use of my
> resources that bothers me.  Misconfigured servers bother me.  Bad
> autoresponders bother me.  I don't mind so much when it's because
> someone hasn't learned better yet, but when it's a considered
> decision on their part that my resources are ok to use, whether I
> like it or not...  That's when I get grumpy.

I guess I consider a sender lookup against my server a normal part of
running it, similar to SPF record queries being a normal part.  SPF
doesn't stop spam to me as a rule.  It can help stop spam from someone
forging my domain however.  I like that.  If someone using SAV queries
my server, I've helpped stop spam again.  I like that too.  I may or may
not see a benefit, but I don't have to.  I'm happy knowing some spammer
isn't.  On the other hand, I do see a benefit, because my users don't
get an NDR for mail they didn't send because the spam was squelched.
But hey, that's just me.

>>> Personally, I'd rather someone query my server, than send my users
>>> NDRs from Joe jobbed spam.  It's a lot less resouce intensive as
>>> nearly as I can see..
> It seems as though the IT industry is filled with two extremes:  pure
> pragmatists and pure idealists.  I'm a weird mix of the two, but when
> something goes against one of my 'ideals', I have a hard time looking
> at it pragmatically.  As a pragmatist, I'd probably agree that a
> query is better than an NDR.  As an idealist, I believe that the
> majority of NDRs being sent out are being done by servers configured
> by people who didn't know any better, so it's more tolerable than
> someone who is deliberately and knowingly hammering on my system to
> save his own bandwidth. 

But NDRs are sent by servers administered by people who *should* know
better.  Like Yahoo and AOL.  If it was your average user sending them
out I'd agree with you but that's not who's configuring servers.  

> I know I'm not going to change your behavior, but I hope I've managed
> to explain why SAV bothers me.

Sure, and I respect your position.  Nor do I expect to change yours
necessarily.  I just think SAV is the lesser of two evils.  Now if they
would just let us cane spammers we would see spam disappear overnight.
But that's more of that idealism...

Kevin Miller                Registered Linux User No: 307357
CBJ MIS Dept.               Network Systems Admin., Mail Admin.
155 South Seward Street     ph: (907) 586-0242
Juneau, Alaska 99801        fax: (907 586-4500

More information about the MailScanner mailing list