[Asrg] Dictionary Attacks

[John Leslie]

Richard Golodner <rgolodner at infratection.com> wrote:
> 
> Rich K is asking the correct question that all op's should be asking
> every day, what can be done to remove the need for all of the abuse
> reports?

   Indeed, that is the question operators should ask themselves on any
day they deal with more than a handful of valid abuse reports. But that
is not what this list is for. This list is for research topics in spam
abatement.

> Run a tight net and conform to the bcp's. We all know what works and
> what does not.

   Well, I don't know _anything_ that works against spam _to_ <abuse>
resulting (I guess) from dictionary attacks on domains I manage by
clueless spammers. I myself receive few enough of these that I sort
all <abuse> email (for any domain) into yet-another-identified-spam
mailbox. I am not looking for advice on how to "improve" on this,
because it's well beyond 100:1 spam and I _want_ to empty my spam
mailboxes daily.

> It is time that we look at our nets and identify the problematic
> parts of the overall design and re-engineer them so they are under
> a greater degree of control.

   Myself, I don't feel that need -- I can't remember the last time
I had to deal with more than one arguably-legitimate abuse report
per day. But if anyone here wants to discuss _research_ into how to
do this better, I'm happy to discuss it.

> We design and build out the topology, we should all have had enough
> experience to address what we know will be problematic in the
> network and do all that is possible to keep these problems to a
> minimum.

   This is true of many smaller ISPs and IS managers; I'm not sure
if it's true of larger ISPs. Unfortunately, the failings of larger
ISPs create pressure on smaller ISPs and IS managers to "route
around" these failings. I like to believe there are things we could
do to make it easier for large ISPs to deal with these problems
themselves.

--
John Leslie <john at jlc.net>