Re: [Asrg] What are the IPs that sends mail for a domain?

"Chris Lewis" <clewis@nortel.com> Thu, 02 July 2009 17:21 UTC

Return-Path: <CLEWIS@nortel.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D04F33A6B8F for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 10:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EuEtme44+7ZL for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 10:21:36 -0700 (PDT)
Received: from zcars04e.nortel.com (zcars04e.nortel.com [47.129.242.56]) by core3.amsl.com (Postfix) with ESMTP id 7D34B28C241 for <asrg@irtf.org>; Thu, 2 Jul 2009 10:20:12 -0700 (PDT)
Received: from zrtphxs1.corp.nortel.com (zrtphxs1.corp.nortel.com [47.140.202.46]) by zcars04e.nortel.com (Switch-2.2.0/Switch-2.2.0) with ESMTP id n62HIhZ26387 for <asrg@irtf.org>; Thu, 2 Jul 2009 17:18:43 GMT
Received: from zrtphx5h0.corp.nortel.com ([47.140.202.65]) by zrtphxs1.corp.nortel.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 2 Jul 2009 13:20:12 -0400
Received: from [47.129.150.171] (47.129.150.171) by zrtphx5h0.corp.nortel.com (47.140.202.65) with Microsoft SMTP Server (TLS) id 8.1.340.0; Thu, 2 Jul 2009 13:20:11 -0400
Message-ID: <4A4CEC4B.3080004@nortel.com>
Date: Thu, 2 Jul 2009 13:20:11 -0400
From: "Chris Lewis" <clewis@nortel.com>
Organization: Nortel
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.22) Gecko/20090605 Lightning/0.9 Thunderbird/2.0.0.22 Mnenhy/0.7.6.666
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk> <20090701150032.GB15652@verdi> <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com> <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk> <4A4CDB33.9000908@billmail.scconsult.com> <4A4CE00D.3020802@nortel.com> <99C83E3C60B16E2C2037C7C5@seana-imac.staff.uscs.susx.ac.uk> <4A4CE850.60105@nortel.com>
In-Reply-To: <4A4CE850.60105@nortel.com>
Content-Type: text/plain; charset="ISO-8859-1"; format=flowed
Content-Transfer-Encoding: 7bit
X-OriginalArrivalTime: 02 Jul 2009 17:20:12.0533 (UTC) FILETIME=[5B9A8250:01C9FB39]
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 17:21:36 -0000

Lewis, Chris (CAR:W669) wrote:
> Ian Eiloart wrote:
>> --On 2 July 2009 12:27:57 -0400 Chris Lewis <clewis@nortel.com> wrote:
>>
>>> Bill Cole wrote:
>>>> Ian Eiloart wrote, On 7/2/09 6:23 AM:
>>>>> Exercise for the reader: why aren't spammers using the @ibm.com domain?
>>>> You provided the answer before the question.
>>> Somewhat.  Because spammers _are_ using @ibm.com too.  I got samples ;-)
>> Ok, but it's trivial to reject them after checking SPF.
> 
> Don't need to.  They're all being rejected by either "no such user" or 
> the spam filter rejects.
> 
> SPF isn't worth the cycles nor bandwidth (in this environment at least) 
> to catch the rare SPF -all.

I should add - _if_ spammers are using the "-all" to screen out bad 
senders to use, then the mere existance of SPF as a "standard" has some 
value to push spammers away from forging certain high-value-target 
domains literally and thus marginally reduce backscatter because of 
spammer-behaviour-modification.  Perhaps.

But it doesn't imply that implementing any SPF checking will make any 
noticeable difference.  Indeed, the only concrete numbers I've ever seen 
about SPF adoption were percentages of domains publishing SPF records 
due to noises being made by MSN/Hotmail, _not_ checking SPF.

Nobody has a handle on how many have actually implemented SPF checking.

The only stats I've seen about backscatter volume pre/post SPF 
publication don't show any compelling reason to believe SPF made any 
difference.  There's no particular reason to believe that it's going to 
get any better either.

We publish, but do not check simply because of the noises that 
MSN/Hotmail were making.  Publishing (and erroneous checking) has 
probably caused more problems (elsewhere) than it's solved.