Yahoo Groups archive

Milter-greylist

Index last updated: 2026-04-28 23:32 UTC

Message

[RFC] distributed spam traps, improved

2006-04-04 by Emmanuel Dreyfus

Hello

I thought about the next anti spam tool and I'd like some feedback about
my ideas. Please try to find a weak point. If there is none, we have our
countermeasure.

1) The context
greylisting have been a good protection against spam, but spamware able 
to defeat it by resending spam are now available. We need a way of adressing
the new problem

2) The idea
The sender machines does not stay idle between the two resends. It tries to
send spam to other locations. If we have spam honeypots (aka spam traps) 
everywhere on the Internet, we have good chances that the sender machine 
will send a spam to a honeypot before the resend. If we have a Distributed 
Spam Trap (DST) netwowrk, one site can catch a sender machine and inform 
all the sites participating to the DSTnet that it found a spammer.

The spam traps would be e-mail addresses released in web pages. The DSTnet
would work by exchanging messages in real time from site to site. I already
wrote the software that does that.

3) Counter measure for spammers
In order to work around DST, spammers need to send mail to honey pots
from IP addresses we don't want to blacklist: ISP SMTP servers. That will
kill the ability of DST to report spamming IP, since it will also report
IP we really don't want to refuse mail from.

4) Preventing the counter measure
I found a very simple way of dealing with the problem: each site in the 
DSTnet could advertise its whitelisted IP netblocks. This would build a 
global whitelist containing as much real SMTP servers as possible. If 
a honeypot address starts getting mail from such a whitelisted address, 
no spam report would be generated.

Whitelist advertisement would have a lifetime and would be sent periodically.
That way if a site gets out of the DSTnet, its stale whitelist  entries 
will not remain.

Of course we need to avoid bad information to be entered in the global
whitelist (so do we need to avoid fake spam trap reports). This can be done
by signing any message sent on the DSTnet, and having a web of trust to
decide what trust to give to a newcomer. 

Opinions, comments?

-- 
Emmanuel Dreyfus
manu@...

Attachments

  • No local attachments were found for this message.

Move to quarantaine

This moves the raw source file on disk only. The archive index is not changed automatically, so you still need to run a manual refresh afterward.