Re: [Asrg] What are the IPs that sends mail for a domain?

"Chris Lewis" <clewis@nortel.com> Thu, 02 July 2009 16:27 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1D27528C153 for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:27:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mWyEPtyaMaNy for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:27:40 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 98EAB3A6999 for <asrg@irtf.org>; Thu, 2 Jul 2009 09:27:40 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (casmtp.ca.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n62GQRZ18829 for <asrg@irtf.org>; Thu, 2 Jul 2009 16:26:27 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 2 Jul 2009 12:27:58 -0400
Received: from [47.129.150.171] (47.129.150.171) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 2 Jul 2009 12:27:58 -0400
Message-ID: <4A4CE00D.3020802@nortel.com>
Date: Thu, 2 Jul 2009 12:27:57 -0400
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 Lightning/0.9 Thunderbird/2.0.0.22 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: "asrg@irtf.org" <asrg@irtf.org>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk> <20090701150032.GB15652@verdi> <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com> <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk> <4A4CDB33.9000908@billmail.scconsult.com>
In-Reply-To: <4A4CDB33.9000908@billmail.scconsult.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 02 Jul 2009 16:27:58.0781 (UTC) FILETIME=[0FBDE6D0:01C9FB32]
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 16:27:43 -0000

Bill Cole wrote:
> Ian Eiloart wrote, On 7/2/09 6:23 AM:

>> Exercise for the reader: why aren't spammers using the @ibm.com domain?
> 
> You provided the answer before the question.

Somewhat.  Because spammers _are_ using @ibm.com too.  I got samples ;-)

Anybody saying "spammers don't do X" and "spammers do X" are wrong at 
least some of the time.  Except for the obvious tautology that "spammers 
spam".

> Forged sender addresses are predominantly harvested rather than purely 
> invented or recombinantly assembled.

IOW: the biggest asset spammers have is lists of potential spam victim's 
email addresses.

What better place to get the email addresses to forge as sender than 
from the exact same list?  Is it so hard to imagine that a bot might do 
this or some variation?

1) Read a bunch of addresses
2) Spam the bunch of addresses, forged with one of the bunch as sender
3) Goto step 1

Various corollaries:

- If you get spam, you're probably being forged as sender in other spam.

- If they're hitting valid addresses, then there will be blowback _to_ 
valid addresses.