[milters] Archive

Lists Index Date Thread Search

Article: 1358
From: Anthony Howe
Date: 2006-12-07 03:22:09 -0500
Subject: Re: new milter idea: milter-random-named-file

Removal...........: milters-request@milter.info?subject=remove
More information..: http://www.milter.info/#Support

Michael Elliott wrote:
> Anthony Howe wrote:
>> This is problematic. Conside that most pump & dump image based spam uses 
>> a CID: there are no filenames to speak off, and the cid: will probably 
>> change between runs or every message even (you don't care about CPU when 
>> you're using someone else's computer).
> ... That and many other good reasons kind of kill this idea.  

I wouldn't count it out just yet. I think there might be a variant on a 
theme possible here. Just use something other than file names. As I 
mentioned earlier, it might be possible to do this using the sender's 
address since receiving multiple copies of the same attachment from 
different senders is either a) spam/virus, b) a chain letter, c) poor 
judgement by sender.

Even better still might be to record two records using the IP address of 
the connecting client:

3A: key={ client-IP, MD5 signature of attachment }
     value={ hit counter, timestamps... }

3B: key={ MD5 signature of attachment }
     value={ hit counter, timestamps... }

I'm pretty sure a heuristic could be developed to filter using some 
variant of the above and no-PTR or IP-in-PTR sources (ie. looks dynamic, 
smells dynamic, or DNS challenged).

Anyway, you've sparked some thought in this vein and I think it just 
needs more fleshing out and tweaking.

Your milter-abook idea is OK. I'll have to think on it. I prefer 
something though along your original thought since its a more 
independent technique.

Anthony C Howe          Skype: SirWumpus                    SnertSoft
+33 6 11 89 73 78         AIM: SirWumpus    Sendmail Milter Solutions
http://www.snert.com/     ICQ: 7116561

Lists Index Date Thread Search