This is a discussion on Re: Yet another spam blocker? - SpamAssassin ; Fred T wrote: > Hello Steve, > > Saturday, March 8, 2008, 11:56:46 PM, you wrote: > > >> Now, I'm no expert on spam-bots, but it strikes me that the 'bots might want >> to remove failed addresses >> ...
Fred T wrote:
> Hello Steve,
> Saturday, March 8, 2008, 11:56:46 PM, you wrote:
>> Now, I'm no expert on spam-bots, but it strikes me that the 'bots might want
>> to remove failed addresses
>> from their lists to make them more efficient. A 550 error returned at the
>> protocol level will immediately
>> notify the 'bot that the addressee is bad. Whether the 'bot then removes
>> the addressee from the list
>> is a matter of implmentation, but if the reduction in spam directed at the
>> Town that we have seen is any
>> indication, the 'bots might just function in this manner (or at least some
>> of them).
> This is interesting and I wonder why different sites would see
> different behavior. We see a bot attempt to deliver a message and
> get rejected and then almost immediately we see the same message from
> another bot get rejected. So from our perspective we see the bots
> working together to attempt to circumvent ip based blacklists.
> And we block invalid recip's and they keep sending no matter what!
I also see the same zombies retrying many times with a different sender.
I guess they have some blind retry strategy that consist of retrying
with a different sender and/or from a different IP. I am not seeing any
evidence of list washing.
I wanted to see if these were real retries, that is, they occur because
the transaction is rejected, or if the bots resend whether the
transaction is rejected or not, so I configured some of the "highly
targetted" addresses to accept mail. I found that few spam is sent
multiple times (so that's an automatic retry, even if the message was
accepted) and other spam is only received once.
Given the size of a spam, it is tempting to accept and discard instead
of rejecting. unfortunately, this is risky (except for "obviously"
> We've been using SpamAssassin for 4 years and blocking during the
> SMTP session (or during protocol stage as you state it) and we've
> never seen a decrease in spam except for the downtime between new
> versions of the malware that drives them!
> I have a MRTG graph of # of spam blocked in transit and it's been
> consistently 52-56k a day for years!! I always notice a huge
> decrease over the weekend and it picks up big-time during the week.
> From 40k on the weekend to an average peak of 54k weekdays.