[anti-spam-wg@localhost] Interesting.

We're subscribers to the MAPS RBL+ list but found it insufficient
to make significant inroads on the UCE/UBE flood directed our way.

So early November I started construction of our own black list, based
on undeliverable bounce messages in the queue of our mail relays.

Over two thousand hosts now immediately get a "550" SMTP return code 
with an explanatory text attached.

Occasionally I notice an address that tries to connect very frequently 
(say, once per second for days on end). Just for the fun of it, I decided 
to throw a port 25 connection from one of those into a waiting loop 
(1000 seconds) with a "550" SMTP reply code at the end.

What happened ? 

I only observed three parallel connections ; the connection rate dropped 
immediately. That was at 18:26 yesterday evening. Since 07:15 this morning 
I stopped seeing port 25 connections from this address altogether.

Which brings me to the question whether, given spammers' bending of the
RFC/BCP guidelines in order to force their junk through other peoples' 
throats, is it acceptable to adopt a similar (but non-RFC-violating)
approach to defeat them or to minimise their impact ?

For some time I am contemplating reversing the anti-spam strategy from 
"accept everything without limitations EXCEPT for those on a black list" 
to "offer every connecting server lousy service (delays, rate throttling) 
EXCEPT for those on a white list".
I'd feed that white list by periodically checking the top-NN connectors
to my SMTP service and approving those when warranted.

The principle would probably be very difficult to extend to a general
purpose ISP but some end-sites may find it interesting to explore.


Comments and remarks are welcome,
Eric, Computing Centre, Brussels Free Universities.