Re: [Asrg] Is there anything good enough? - Spoofing stats

Vernon Schryver <vjs@calcite.rhyolite.com> Thu, 08 May 2003 01:51 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA26989 for <asrg-archive@odin.ietf.org>; Wed, 7 May 2003 21:51:08 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4820MQ14934 for asrg-archive@odin.ietf.org; Wed, 7 May 2003 22:00:22 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4820M814931 for <asrg-web-archive@optimus.ietf.org>; Wed, 7 May 2003 22:00:22 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA26953; Wed, 7 May 2003 21:50:37 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DaaP-0006us-00; Wed, 07 May 2003 21:52:41 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19DaaP-0006up-00; Wed, 07 May 2003 21:52:41 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h481t6814789; Wed, 7 May 2003 21:55:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h481sS814764 for <asrg@optimus.ietf.org>; Wed, 7 May 2003 21:54:28 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id VAA26849 for <asrg@ietf.org>; Wed, 7 May 2003 21:44:43 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DaUh-0006tu-00 for asrg@ietf.org; Wed, 07 May 2003 21:46:47 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19DaUg-0006tr-00 for asrg@ietf.org; Wed, 07 May 2003 21:46:46 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h481lYaU012209 for asrg@ietf.org env-from <vjs>; Wed, 7 May 2003 19:47:34 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305080147.h481lYaU012209@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] Is there anything good enough? - Spoofing stats
References: <200305072004.54182@grx>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 07 May 2003 19:47:34 -0600

> From: David Walker <antispam@grax.com>

> ...
> Sending addresses are the property of the domain.  Mail sent within the 
> acceptable domain uses is not spoofed.  Mail sent through other channels to 
> avoid domain policies is spoofed.
>
> It seems to be a common misconception that addresses are the property of the 
> sender.  If you want an address to be your property you can sign up for your 
> own domain, otherwise they belong to the domain and the domain administrators 
> set the policy for each domain.

We do not agree that abusing an address amounts to forgery.  In my
view that makes as little sense as saying that if you abuse a rental
car, you are guilty of auto theft.


> I did a little checking on the existence of some of the addresses and 
> yahoo.com and aol.com didn't generate an error if the account did not exist 
> and the other accounts I checked did not exist.

I don't understand that sentence.


> > Many perfectly legitimate owners of netscape.com and other free
> > provider mailboxes uses those addresses as sender addresses in
> > their mail but send mail from unrelated ISPs.  Sometimes they do
> > this to avoid exposing their more private addresses to spam.  In
> > other cases port-25 filtering or other problems prevent them from
> > sending mail except through the unrelated ISP.
>
> They can use webmail.  The services most often impersonated are webmail 
> services and the correct use of that service is via webmail or such other 
> methods as that provider (hotmail,yahoo, etc) may permit.
> Those that are not webmail all provide smtp and pop servers and that is the 
> proper way to send mail through them.

What is your standing for telling AOL and users of netscape.com how
those addresses can be used?  By what authority do you tell AOL to
change the terms and conditions for the use of netscape.com addresses?
How can you presume to tell those users to use webmail instead of some
other ISP's MTA?

I could understand your telling AOL to that you will refuse mail with
Netscape.com envelope addresses until and unless AOL changes the T&C
for netscape.com addresses, since that is what I do.  However, I do
not presume to say that AOL's T&Cs are invalid or other than what they
are or that any free provider that does not use the free provider's
sending MTA is "forging" anything.

I assume that AOL, Microsoft, Lycos, and the rest of the free providers
will continue to do whatever suits them.  I do not think I have any
right to tell or even suggest to them that they should change.  I do
not expect them to start doing background checks (e.g. a TRW credit
check) or requiring an effective bond against bad behavior by their
users.  On occassion an official of a free provider has contacted me
about http://www.rhyolite.com/anti-spam/freemail.html  The tiny outfits
tend to bluster, threaten, and demand that their domain names be
removed.  The big outfits are cordial and do none of that.  They seem
to understand my position and motives and do not even suggest that I
remove their domain names.


> > If your definition of "spoofed domain" includes the notion that
> > the spoofed address is not perfectly legitimately and own by the
> > user sending the message, what would you suggest to those innocent
> > people?  By turning off the mail of those innocent people, would
> > RMX be creating problems?
>
> RMX doesn't turn off mail to innocent people.  RMX helps to ensure that users 
> follow the policies of their domains.  No ISP that I know of blocks port 80 
> or 443 and those are the correct method for sending messages via a WEBmail 
> service unless the provider deems it acceptable to allow other methods.

HTTP whether over port 80 or with TLS over port 443 is useless for
sending mail in many circumstances.  For example, if you are using a
laptop in an airport or on an airplane, unless you are very rich, you
probably cannot afford to stay connected and a remote web page to
compose outgoing email.  Thus, forcing people to use port 80 or 443
or nothing to send mail does turn off mail for some people.

Are you saying that people who do not use the sending MTAs of their free
providers for entirely legitimate mail are not at least mostly innocent?
If so we lack a common ground for discussion.  I've often said that free
providers are parasites on the Internet because they depend on outsiders
to police their spammers, and so users of free providers share that
guilt, but your position sounds extreme even to me.


> > If your definition includes some notion of forgery, how do you know
> > whether a message with unrelated sender address and reverse DNS domains
> > is spoofed or forged?  Do you have some way to ask the administrators
> > of the "spoofed" domain about the sender address?
>
>In 316 of the 3130 (10%) they connected using either my own domain name or the 
> IP address of my mail server as their helo domain.  That is clear and 
> undeniable proof that their intent is not to innocently inform me of the 
> latest Viagra substitute but rather to exploit possible holes in my rules in 
> order to deliver their crap.
> ...

Ok, they forged their HELO values.  I assume they also tried to
defraud you with their bogus offers.  However, that implies nothing
about whether their SMTP envelope Mail_From values were in any
honest sense forged.

How do you explain the extremely non-random character of your list?
Why aren't spammers using random domain names or random big company
domain names instead of concentrating on providers that give dropboxes
with little no due diligence?   My explanation is that spammers care
about that lack of due diligence and that implies they own most of
those sender addresses.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg