NNSquad - Network Neutrality Squad
[ NNSquad ] [IP] Comcast's "Evil Bot" Scanning Project
Completely legit mailing list processing systems (like the widely-used GNU Mailman) tend to open up large numbers of simultaneous outbound connections when a mailing is initiated. This is probably a smaller number than most specialized spam sending systems use these days, but the point is that spam *is* e-mail, and the idea with spam is to look and behave as much like non-spam e-mail as possible. For example, increasing amounts of spam retry more than once to get through greylisting anti-spam systems. So the issue of whether someone sending out a legitimate mailing to a big mailing list will be mischaracterized as a spammer is at least worthy of interest. --Lauren-- ----- Forwarded message from Dave Farber <dave@farber.net> ----- Date: Sat, 10 Oct 2009 11:12:00 -0400 From: Dave Farber <dave@farber.net> Subject: [IP] Comcast's "Evil Bot" Scanning Project (Lauren Weinstein) Reply-To: dave@farber.net To: ip <ip@v2.listbox.com> Begin forwarded message: > From: Rich Kulawiec <rsk@gsp.org> > Date: October 10, 2009 10:37:58 EDT > To: David Farber <dave@farber.net> > Cc: "David P. Reed" <dpreed@reed.com> > Subject: Re: [IP] Re: Comcast's "Evil Bot" Scanning Project (Lauren > Weinstein) > > On Sat, Oct 10, 2009 at 09:52:15AM -0400, David Reed wrote: >> If I send a lot of email, why does that make me a "bot"? Maybe I >> just >> send a lot of email. > > That's definitely not a good metric. Here's a much better one, far > more > accurate and much less invasive. (Presuming for a moment that port 25 > outbound isn't blocked.) > > Count the number of outbound connections to port 25 per unit time and > the number of destinations. > > Real traffic from real human beings will show very low numbers of both > of those: we don't send that much mail, and even if we're relaying > outbound > traffic through remote SMTP servers on port 25 (which we shouldn't be) > we > don't use many of them because we're not authorized to use many of > them. > > On the other hand, spam-spewing bots, in an effort to maximize delivery > attempts/deliveries, will initiate huge numbers of conections to > diverse > destinations. > > I've been looking at these numbers on different networks over the past > several years, and the differences are sharp enough -- 10e3 to 10e6 -- > that they're immediately recognizable even with leaky observation > methods. > Bot-initiated spam runs make themselves visible in just a few minutes, > sometimes less. And while certainly bot-initiated spam runs are by no > means the only form of abuse that we should be concerned about, > identifying > these systems has considerable value: it harvests the low-hanging > fruit, > thus stopping them from doing immediate harm (sending spam) and from > doing > future harm (whatever they may be instructed to do next). > > There are spammer countermeasures to this, of course: one is to rate- > limit > the spam runs. But judicious tuning of detection thresholds based on > local knowledge of usage patterns can make this difficult for them. > Moreover, if they *are* rate-limiting sufficiently to evade detection, > there is at least one very positive outcome of this: less spam. > Applied globally, this would severly curtail overall spam levels -- > certainly not fixing the problem, by any means, but at least providing > some symptomatic relief. > > ---Rsk > ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com ----- End forwarded message -----