Catching Spam by Looking at Traffic, Not Content 265
AngryDad writes "HexView has proposed a method to deal with spam without scanning actual message bodies. The method is based solely on traffic analysis. They call it STP (Source Trust Prediction). A server, like a Real-time Spam Black list, collects SMTP session source and destination addresses from participating Mail Transfer Agents (MTAs) and applies statistics to identify spam-like traffic patterns. A credibility score is returned to the MTA, so it can throttle down or drop possibly unwanted traffic. While I find it questionable, the method might be useful when combined with traditional keyword analysis." What do you think? Is this snake oil, or is there something to this?
Greylisting (Score:2, Informative)
Re:sounds good to me (Score:2, Informative)
Re:your specific idea sounds damned good to me (Score:2, Informative)
spambots are bad, but my biggest problem is with fraudsters, both 419ers and standard credit card fraud types.
These sleazebags cause more trouble than the bots, and it's illegal to kill them. I'm not sure why they cause more trouble, they send out less email than the bots, perhaps the scammer's email is better targetted to real people, as opposed to directory harvesting type attacks.
Anyway, definately agree with you there, smtp auth, imap or whatever, all piped through SSL or nothing at all.
Great idea, just several years late ;) (Score:5, Informative)
Ironport (recently purchased by Cisco for $830 million US) has been doing this kind of service for large providers for several years.
Their statistics site is publicly viewable, but using their stats requires a subscription fee.
http://www.senderbase.org/ [senderbase.org]
Its interesting to look at how well or poorly the MTA's you use are scored. All of the stats are gathered by the systems they sell to ISP's and enterprise customers. These boxes perform the spam filtering for that organization's customers and provide statistical data back to senderbase.org, which allows all Ironport customers to "know" about problems for all other Ironport customers.
The link to their PDF on their metric's is here:
http://ironport.com/pdf/ironport_wp_reputation_ba
We evaluated their system last year as a possible replacement for a third party spam/virus scanning provider and may end up purchasing their equipment once everything with the Cisco purchase shakes out. Their solution, while not perfect, behaves far better than some of the things that large service providers *coughAOLcough* have tried and are (or were when we tested) comparable to most of the content based scanning systems in terms of spam filtering with a lower rate of false positives.
This technology has been around for years (Score:2, Informative)
CipherTrust TrustedSource [trustedsource.org]
Re:This is painfully obvious and hopelessly naive (Score:3, Informative)
Re:Botnets? (Score:2, Informative)
Botnets make rate-limiting (which really, is all STP is, besides Stone Temple Pilots and motor oil) an imperfect solutions, but if you can eliminate the old school spammers, trust me, you will take a giant chunk out of your daily spam volume, giving your true anti-spam software more CPU cycles to do its thing, like catch that blasted image spam.
Re:I am curious... (Score:3, Informative)
After all of that, I STILL get about 5 per day. Bayesian filtering in my e-mail client usually catches these, but since it occasionally catches false positives, I have to check it anyway.
Re:I have a better idea: (Score:1, Informative)
Many DDOS attacks are often carried out by Linux boxes as well, the
I would almost bet that your Linux or Mac box has no anti-virus protection on it, so how does that make you any better?
Re:this and other effective weapons (Score:3, Informative)