If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate
limits. Otherwise if they send all email from their users, all they've done
is take the spam, and mix it in with the legitimate email, making spam
filtering harder.
Okay, I can understand why an ISP might want to apply SMTP
rate-limits, but to clarify, I'm assuming you meant that ISPs
(if they do block tcp/25 outbound to anything other than their
own MTAs) need to watch for excessive SMTP utilization, which might
indicate a spammer-client (?).
If the ISP blocks port 25, then the ISP is taking responsibility for
delivering all email sent by a user, and they have to start applying rate limits. Otherwise if they send all email from their users, all they've done
is take the spam, and mix it in with the legitimate email, making spam filtering harder.
Okay, I can understand why an ISP might want to apply SMTP
rate-limits, but to clarify, I'm assuming you meant that ISPs
(if they do block tcp/25 outbound to anything other than their
own MTAs) need to watch for excessive SMTP utilization, which might
indicate a spammer-client (?).
...as opposed to arbitrary SMTP rate-limits.
Yes?
I thought that these bot nets were so massive that it is pretty
easy for them to fly under the radar for quotas, rate limiting, etc.
Not that all bot nets are created equal, and there aren't local hot
spots for whatever reason, but putting on the brakes in a way that
users wouldn't feel pain is simply not going to make any appreciable
difference in the overall mal-rate.
Can anyone comment authoritatively on the percentage of spam that's from a
leaky faucet compared to fire hose? The stuff I see in my customer base are
all fire hoses at the rate of 2.5, sometimes 5 message connection attempts
per second. (I bet an academic could study the rate of spam emissions from a
certain IP to identify their upstream bandwidth).