[Dshield] Spamhouse now listing exploited IPs in new

Chris Brenton cbrenton at chrisbrenton.org
Thu Jan 15 13:39:23 GMT 2004


On Thu, 2004-01-15 at 00:33, Jeff Kell wrote:
>
> > Nah. Better to tarpit 'em. Unfortunately sendmail doesn't support doing
> > that. :(
> 
> No, you ignore them with 'no ip unreachables' (Cisco-speak), so their 
> end times out and requeues, eating up their time and resources. 

First off its not _their_ time or resources as its probably an 0wn3d
box. ;-)

Second, I've actually done a bit of investigation work on this. My
interest was finding the most efficient method of dealing with spam.
turns out there are pros and cons to what ever you do:

Black list cons
Potential false positives
Potential to let though spam
More network utilization on the receiving end

Black list pros
Less human intensive

Content checking pros
Lower false positives than black list
Less of a chance of losing legit mail
Less network intensive

Content checking cons
More CPU intensive
Requires human review for final determination

Most of these should be pretty obvious to people. The one that surprised
me was the network utilization. Turns out when you add up the bytes from
three SYN reties over an average of six retransmission attempts, you end
up using more bandwidth (again, on average) than if you just accepted
the spam in the first place.

So with black lists you are actually chewing up more of your own
bandwidth, not the spammers as they typically are not using their own
resources anyway.

HTH,
C





More information about the list mailing list