|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: Stealth Blocking
[In the message entitled "Re: Stealth Blocking" on May 24, 10:23, "Eric A. Hall" writes:]
>
> Dave Rand wrote:
>
> > I'm not sure how effective rate limiting will be. Many spammers send
> > one copy of the spam to an open relay, but use many (2 to 50)
> > recipients.
>
> Rate-shapers would also work on the relays. The idea is that if ISPs would
> implement a default rate-limit (let's say 4kb/s) that it wouldn't
> interfere with normal use. It would interfere with spam distribution
> because it would slow down the big runs dramatically.
>
> The negative side effect is that it cripples people who use email as a
> file transfer protocol.
>
Ok, let's have a look.
Last week, I got one spam ("get a free motorola pager") which came through
168 different open relays, bound for 4428 different recipients at
bungi.com. There were 791 different connections to deliver all the spam,
which meant that each time the spammer used an open relay, they delivered 5
copies of the message to my system (more or less). As was typical, they
used 16 different grid.net dialups (all from ipls).
Here's the dialup ports they used.
Injection point IPs involved (potential source):
IP Address Count Status In-addr
63.52.247.163 75 On DUL pool-63.52.247.163.ipls.grid.net
63.52.247.230 16 On DUL pool-63.52.247.230.ipls.grid.net
63.52.247.249 51 On DUL pool-63.52.247.249.ipls.grid.net
63.52.247.255 173 On DUL pool-63.52.247.255.ipls.grid.net
63.52.248.26 1 On DUL pool-63.52.248.26.ipls.grid.net
63.52.248.100 14 On DUL pool-63.52.248.100.ipls.grid.net
63.52.248.153 3 On DUL pool-63.52.248.153.ipls.grid.net
63.52.248.167 156 On DUL pool-63.52.248.167.ipls.grid.net
63.52.248.182 44 On DUL pool-63.52.248.182.ipls.grid.net
63.52.248.186 45 On DUL pool-63.52.248.186.ipls.grid.net
63.52.248.214 123 On DUL pool-63.52.248.214.ipls.grid.net
63.52.248.239 3 On DUL pool-63.52.248.239.ipls.grid.net
63.52.248.251 24 On DUL pool-63.52.248.251.ipls.grid.net
63.52.249.16 3 On DUL pool-63.52.249.16.ipls.grid.net
63.52.249.59 435 On DUL pool-63.52.249.59.ipls.grid.net
63.52.249.67 14 On DUL pool-63.52.249.67.ipls.grid.net
The spam was 4K bytes, including header. That's 32K bits. Assuming that
the open relays were really, really fast, that means that it would take
about 2 hours to send all 4428 spams. If he had used 10 recipients per
relay, it would have been 1 hour. 20 recipients would be 30 minutes.
Without the rate limiting, assuming a 20 Kbps connection speed, it would
have taken about 21 minutes to send the 4428 spams.
Either way, rate limiting isn't very effective. Even rate limiting at 1Kbps
only makes it 8 hours to send 4428 spams, or just over an hour a day (since
these spams were delivered over a week time period). And they were using 4
to 8 dialups at a time. Even at 1Kbps, that's 50,000 to 100,000 spams per
day, at 5 recipients per mail. If we go to 20, or 50, the numbers get very
large, very quickly, even at 1 Kbps.
That's why I think that port 25 blocking is the only way. That, and
closing open relays, of course.
--
|