The End-To-End Internet (was Re: Blocking MX query)

Izaac <> commented:

#I suspect your ISP is also stripping <sarcasm> tags. Let's try it out

I don't believe those numbers say that last. I *wish* those numbers said
that, but I don't think they do. Here's why.

A. "bot spam seen" (by whatever number of sensors are deployed) is
conditional on bot spam making it out of its local network and onto
some other network where is sensor exists. Clearly, port 25 blocking
will dramatically curtail that. Thus, spam is still being generated
by those systems: it's just not getting anywhere.

B. Spam is not the only form of abuse generated by bots. Some participate
in DDoS attacks, some host illicit web sites, some harvest addresses,
the list is endless. Any sensor which only looks for spam arriving
via SMTP on port 25 will miss all those.

C. Some bots engage in secondary support activities (e.g., hosting
DNS for spammer domains) which is not intrinsicly abusive, but is
certainly abusive in context. Most of this will be missed by most
of everything and everyone.

D. Some bots do nothing -- that is, nothing overtly recognizable
by external sensors of any kind at any location. They're either
harvesting local data or perhaps they're simply being held in reserve,
a practice our adversaries adopted quite early on.

Thus we can't use anybody's numbers for observed bot-generated spam
to estimate infection rates -- other than to set a lower bound on them.
The upper bound can be, and like likely is, MUCH higher. Doubly so
because there is abolutely no reason of any kind to think that infection
rates of US-based hosts significantly differ from global norms.

More broadly, the per-nation rates are interesting but probably
unimportant: this is a global problem, so even if country X solved
it (for a useful value of "solved") it would matter little. I think
at this point any estimate of bot population under 200M should be
laughed out of the room, and that (just as it has for a decade)
it continues to monotonically increase.