Re: [Asrg] Some data on the validity of MAIL FROM addresses

Yakov Shafranovich <> Sun, 18 May 2003 18:49 UTC

Received: from ( [] (may be forged)) by (8.9.1a/8.9.1a) with ESMTP id OAA14289 for <>; Sun, 18 May 2003 14:49:59 -0400 (EDT)
Received: (from mailnull@localhost) by (8.11.6/8.11.6) id h4IIIY029542 for; Sun, 18 May 2003 14:18:34 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h4IIIYB29539 for <>; Sun, 18 May 2003 14:18:34 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA14285; Sun, 18 May 2003 14:49:28 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19HTFf-0004pV-00; Sun, 18 May 2003 14:51:19 -0400
Received: from ([] by ietf-mx with esmtp (Exim 4.12) id 19HTFe-0004pS-00; Sun, 18 May 2003 14:51:18 -0400
Received: from (localhost.localdomain []) by (8.11.6/8.11.6) with ESMTP id h4IIHMB29516; Sun, 18 May 2003 14:17:22 -0400
Received: from ( []) by (8.11.6/8.11.6) with ESMTP id h4IIGSB29466 for <>; Sun, 18 May 2003 14:16:28 -0400
Received: from ietf-mx ( []) by (8.9.1a/8.9.1a) with ESMTP id OAA14269 for <>; Sun, 18 May 2003 14:47:22 -0400 (EDT)
Received: from ietf-mx ([]) by ietf-mx with esmtp (Exim 4.12) id 19HTDd-0004p5-00 for; Sun, 18 May 2003 14:49:13 -0400
Received: from ([] helo= by ietf-mx with smtp (Exim 4.12) id 19HTDb-0004p2-00 for; Sun, 18 May 2003 14:49:12 -0400
Message-Id: <>
X-Mailer: QUALCOMM Windows Eudora Version
From: Yakov Shafranovich <>
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <>, <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
List-Archive: <>
Date: Sun, 18 May 2003 14:49:49 -0400

At 03:34 AM 5/18/2003 -0400, Kee Hinckley wrote:

>Vernon has regularly made the claim that a significant proportion of
>spam messages have valid MAIL FROM's.  That means that bounces will
>go the the spammer.  This has significant ramifications for C/R
>systems (especially auto-respond ones) since it means that should
>they have to, spammers could respond to challenges.
>To test this theory, I took a day's worth of bounce logs from
> (2003-05-15).  These should be fairly normal logs.
>There's been a bit of an upswing from a recent virus attack, but
>otherwise these are pretty normal bounce logs for
>I ran a program which took each MAIL FROM address, parsed out the
>domain portion, looked up the MX record, and then connected to the
>SMTP port of the lowest numbered MX server.  I did a
>         HELO
>         MAIL FROM <>
>         RCPT TO <appropriate-address>
>         QUIT
>Note that a few sites bounced me at the HELO prompt (didn't like that
>I was on DSL, or that my name was  A few bounced at
>the MAIL FROM (didn't like one claimed that +
>wasn't a legal email character).  But the number of either of those
>was pretty low (less than half a dozen).  I'll do a better job of
>recording those separately in the future.
>In general though, it appears that Vernon is correct.  If my sample
>is representative, a large percentage of spam is coming from real
>email addresses.

I see a problem with this testing strategy - an SMTP server is does not 
necessarily produce an error when receiving an RCPT TO command. See RFC 
2821, section 3.3:

"However, in practice, some servers do not perform recipient verification 
until after the message text is received.  These servers    SHOULD treat a 
failure for one or more recipients as a "subsequent failure" and return a 
mail message as discussed in section 6.  Using a "550 mailbox not found" 
(or equivalent) reply code after the data are accepted makes it difficult 
or impossible for the client to   determine which recipients failed."

And RFC 2821, Section 6.1.:

"If there is a delivery failure after acceptance of a message, the 
receiver-SMTP MUST formulate and mail a notification message."

Therefore, it is not possible to determine with certainty whether these 
accounts actually existed. A better testing strategy would actually send 
email to these accounts with the DATA command and watch for bounce 
messages. However, spammers can always choose to use a real email address 
as the return address and sending email to valid accounts in itself may be 
considered spam by the recipients.


Yakov Shafranovich / <>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)

Asrg mailing list