[SpamCop-List] Re: Spammers moving away from direct-to-mx?

[Bert Driehuis]

John E. Malmberg wrote:

> Port scans are more troublesome to do automatically.  They also consume 
> bandwidth, so must be throttled.  It is probably likely that the time 
> needed to sequentially scan all I.P. addresses for an ISP can be 
> measured in weeks or months if they do not want to disrupt their network.
> 
> And apparently the spamware keeps morphing to evade automatic scans.

The morphing isn't that bad -- it just means ISPs have to scan all 
65,534 possible ports of every customer before they allow the first 
activity on Port 25. That's something like 5MB of traffic per user -- 
this could be a profit center for ISPs that charge per megabyte! :-)

The big problem with port scanning is that some Trojan proxies are so 
badly written that at the best of times, they fail 50% of requests. In 
other words, scanning all 65,534 is no guarantee of finding the Trojan.