Valdis wrote:
#Most spam-fighting efforts on the technical side make the basic assumption
#that spam has similar characteristics to a properly designed TCP stack - that
#dropped/discarded spam-grams will trigger backoff at the sender. Unfortunately,
#discarding a high percentage of the grams will trigger a retransmit multiple
#times.
Actually, our experience *does* follow the backoff paradigm: if you block a
particular source of spam, that rejection *does* seem to trigger "message
volume" backoff at the source, with only periodic check probes apparently
designed to see if the spam source is really still blocked (and of course
it really still is).
Now it is true that in many cases the spammer *will* do a set of probes in an
effort to see just how broad a given block is (e.g., is it just a /32 that's
being blocked? is it my entire netblock? is it a domain based filter? can I
slide in via an open SMTP relay or an abusable proxy server?), but at least
here at the U of O, we're NOT seeing spammers waste their time attempting
delivery of hundreds or thousands of messages per day via hosts that have
been identified and filtered.
Regards,
Joe
Yes - but since they need to have N replies to their spam to make it worth
the effort, they will just pound on somebody ELSE. I saw one quote from
a very unapologetic spammer who was complaining that with all these blocks
he had to send a lot more spam and his costs were up 1000% as a result.
Let's say a spammer needs 100 replies to turn a profit, and 1% of the things
that make it into a mailbox get a reply. If nobody blocks spam, then the
spammer only needs to send 10K messages before he profits. If 99% of spam
is blocked, he has to send a million. That's why we're seeing statistics
like "receives 2 billion pieces of mail a day and 80% is spam".
Think of it like a host with multiple A records - if one A goes down, they
*do* stop trying that one, but they then fail to use backoff on the OTHER
addresses.... 
Point of information:
Can you really distinguish all this intentionality vs. the spammer
just changing which relay to rape? Perhaps because the raped relay was
shut down or secured when the owner found out what was going on?
Or the spammer just switching relays to rape for no specific reason
other than they seem to "go bad" after a few hours so use one for a
while (perhaps a batch of addresses to spam) and then switch to the
next in the list?