[anti-spam-wg@localhost] Interesting.
- Date: Wed, 29 Jan 2003 16:33:05 +0100 (MET)
We're subscribers to the MAPS RBL+ list but found it insufficient
to make significant inroads on the UCE/UBE flood directed our way.
So early November I started construction of our own black list, based
on undeliverable bounce messages in the queue of our mail relays.
Over two thousand hosts now immediately get a "550" SMTP return code
with an explanatory text attached.
Occasionally I notice an address that tries to connect very frequently
(say, once per second for days on end). Just for the fun of it, I decided
to throw a port 25 connection from one of those into a waiting loop
(1000 seconds) with a "550" SMTP reply code at the end.
What happened ?
I only observed three parallel connections ; the connection rate dropped
immediately. That was at 18:26 yesterday evening. Since 07:15 this morning
I stopped seeing port 25 connections from this address altogether.
Which brings me to the question whether, given spammers' bending of the
RFC/BCP guidelines in order to force their junk through other peoples'
throats, is it acceptable to adopt a similar (but non-RFC-violating)
approach to defeat them or to minimise their impact ?
For some time I am contemplating reversing the anti-spam strategy from
"accept everything without limitations EXCEPT for those on a black list"
to "offer every connecting server lousy service (delays, rate throttling)
EXCEPT for those on a white list".
I'd feed that white list by periodically checking the top-NN connectors
to my SMTP service and approving those when warranted.
The principle would probably be very difficult to extend to a general
purpose ISP but some end-sites may find it interesting to explore.
Comments and remarks are welcome,
Eric, Computing Centre, Brussels Free Universities.