I never understood why not the upstreams of "bulletproof hosts" simply disconnect / de-peer the entire AS until they clean up their act? Why won't their BGP neighbors take action?
If you can't get ScumBagISP-A to clean up their act, go to ScumBagISP-Upstream-B, and then the next hop ScumBagISP-Upstream-Nexthop-C, and the next, until you find a responsible carrier who can de-peer?
I read these numbers, and I look at my bandwidth costs at my data center, and I think, "wow, it sure is fortunate that so much excess backbone capacity ended up being build in the dot com era."
> so much excess backbone capacity
Do spam emails really consume that much bandwidth? I don't see long texts besides those from that nice Nigerian Minister...
An average email is roughly 75kb[1]. That same 75kb, plus TCP overhead, has to touch every single email server between you and the destination (wasn't able to find anything that suggested how many hops are average).
Some random googling specifies a number around 175 billion for number of spams sent per day.
That works out to an average of 12,223 terabytes per day - of just spam. Now multiply that by the number of hops that each message take. Assuming each message only has to touch one intermediary server between source and destination, that's still 3.6 petabytes.
Also, Email does not need to hop from mail server to mail server all that much due to DNS. Granted legitimate mail might move around a fair bit, but as far as the public internet is concerned the vast majority of spam is sender -> possibly senders mail server -> spam detection software -> /dev/null.
I think that number might be out of date -- and thus a bit high right now. I install sqlgrey on the mail servers I admin, and it does an amazing job of blocking spam before the MTA ever sees it. And, whereas greylisting was still a little controversial back when I worked for an ISP a handful of years ago, at a quick glance at my mail server logs it looks like it's caught on at a bunch of other providers now too.
Most of the email my mail servers handle right now is legitimate.
Woah there, dude. I wasn't arguing that spam is not a big deal; I wasn't really arguing anything at all. I was saying that the "85-97% of all email is spam" statistic no longer jives with what I see on my servers -- at all. I'd have to whip up a quick script to munge my mail logs, but I'd expect around 90% of all messages the MTA actually handles to be legit.
However, since you asked so politely: I don't have extra hardware (I think e.g. Barracuda is crap), and I wouldn't say I have an entire software stack -- just that sqlgrey & spamassassin are components of the mail server software stack that I use.
I think that whether spam is a big deal or not depends a lot on the tools you use. I put a lot of time and effort initially into building a software stack that could handle spam (and other problems) more-or-less on its own, and now spend pretty close to no time at all having to personally deal with problems related to spam. Conversely, the ISP I used to work for went with a Barracuda appliance and had a pretty poor mail server configuration that they didn't want to overhaul, and AFAIK they still have to spend significant amounts of support time dealing with spam-related complaints.
It could be argued that since I had to spend a lot of time and effort on the initial setup, spam is a big deal. I don't think I'd disagree with that. But, it doesn't have to be a big deal every day.
I keep reading about spam networks knocked out and yet like any crime, if you take out the number one then everybody moves up a notch and somebody else joins the bottom. So either maybe they could make it harder. ISP's do packet inspection, maybe they could make it useful for the user. Block the sending of spam - both ways. Anybody selling viagra and penil extensions realy should be on a buisness internet account for a start.
The tools are out there, maybe the ISP's could give the users a configuration screen enabling them to block spam upstream. User virtual firewalls could be useful to the user and also the ISP. Maybe users could be tested on what they know and from that certain default settings are made on the firewall and options locked. If a user don't know what there doing then lets help them. Then any block will point them to speak to a human on the phone as they need that level of help. But instead we allow anybody to have a loaded electronic gun drive around the whole of the internet, scary when you think of it like that, but thats what you have, oh and spam.
Many ISPs around the work unconditionally block customers' outgoing TCP port 25 connections, to combat zombies sending spam over SMTP.
I used to find this annoying when running a private mail server, but then I realized that relaying through the ISP outgoing SMTP proxies probably ended up with net benefit in delivery rates anyways, due to IP reputation.
Why don't botnet operators use a peer-to-peer style command centers? According to the original article on the FireEye blog, the network was taken down with only "three days of effort."
Those might be vulnerable to anti-spam agencies actually hacking the control protocol. Or maybe it's just harder and the spammers don't want to spend as much time designing it. If government agencies keep taking these things down, and if they can do it quickly (not four years later), then it might be worthwhile for the spammers to have more robust control mechanisms.
Some of them do, notably Zeus. It takes quite a bit of work to make a botnet take instructions in a peer to peer fashion, so only the most sophisticated pieces of malware offer that feature.
If you can't get ScumBagISP-A to clean up their act, go to ScumBagISP-Upstream-B, and then the next hop ScumBagISP-Upstream-Nexthop-C, and the next, until you find a responsible carrier who can de-peer?