[Asrg] FeedBack loops

Chris Lewis clewis at nortel.com
Wed Nov 12 12:09:14 PST 2008


Franck Martin wrote:
> Thanks Steve for clarifying my thinking.
> 
> For the scale, it would not send to to all, but to the ones who are
> registered for such feedback. So a config file that specifies when and
> to who to send the ARF reports.

Right, I alluded to that.

But, say, I instrumented our MTAs (not our spamtraps!) to send ARF
reports about filter firings to an ARF-supporting access provider, who
just happened to have a lot of infected machines?  Like some do.

Without mentioning any names, there's a couple providers who _do_
support ARF, whose abuse-reporting-system I'd probably blow off the air,
to the tune of hundreds or thousands of reports per day.  With the
traps, in one case, at one time, it'd have been close to 100,000/day to
just one provider.

Now get a few other sites doing the same.  Boom! ;-)

It doesn't scale.

It can _sometimes_ be done.  On prior arrangement and special
circumstances (eg: considerably stricter "this is spam" determination
than our filters normally apply), I did an entirely automated ARF feed
to Hotmail off our MTAs.  This also was designed to not submit more than
one ARF report for the same sender per (I think) 8 hours.  A hacked
together kludge.

It could not have been done if Hotmail hadn't 100% automated their end
of the process to the extent of zapping the account without a human in
the loop.  Which is why we had to be so strict about being absolutely
FP-free.  Not appropriate at all with "normal" filter reliability, and
"someone should be in the loop to double-check", which I hope most of
believe is necessary for this to become a "standard practise".

There were one or three other sites with which Microsoft had made
similar arrangements.  They wouldn't tell me who they were (but I
suspected who at least one of them was ;-)

It worked wonderfully well for its brief lifetime of applicability. We
sent several thousand the first day.  Couple hundred the next.  A few
dozen for the next couple days.  Then zero.  I dismantled it after a week.

The Nigerian infestation went off and took over Yahoo (IIRC) somewhere
during the first 2-3 days.

Serious BOT infestations would be worse.

Here's a useful thought experiment: Check out

http://cbl.abuseat.org/domain.html

Remember that CBL's detection reliability is extremely good, and also
that the CBL only makes detection on an actual email attempt from the
listed IP.  If telekom.gov.tr supported ARF, and the CBL instrumented
their detectors to generate ARF, that would be at least 440,000 unique
IP reports over whatever interval the CBL is reporting.  Which seems to
be about a week...  What abuse desk could cope with that flow rate?  No-one.

[I do some specialized BOT feeds to ISPs with at least 3-way
"redundancy" in selecting which IPs to report.  They help.  But ARF
simply isn't appropriate for that.]

> It seems also that MUAs, when a mail server is involved (MTA + other
> tools), have a way to report SPAM to the mailserver (special mailbox,
> special folder) so the filter can learn from the user reports.

There are ways to do this, including via, say, SpamAssassin hosted on MTAs.


More information about the Asrg mailing list