Re: [Asrg] Some data on the validity of MAIL FROM addresses

Yakov Shafranovich <research@solidmatrix.com> Sun, 18 May 2003 18:49 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14289 for <asrg-archive@odin.ietf.org>; Sun, 18 May 2003 14:49:59 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4IIIY029542 for asrg-archive@odin.ietf.org; Sun, 18 May 2003 14:18:34 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IIIYB29539 for <asrg-web-archive@optimus.ietf.org>; Sun, 18 May 2003 14:18:34 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14285; Sun, 18 May 2003 14:49:28 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HTFf-0004pV-00; Sun, 18 May 2003 14:51:19 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19HTFe-0004pS-00; Sun, 18 May 2003 14:51:18 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IIHMB29516; Sun, 18 May 2003 14:17:22 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IIGSB29466 for <asrg@optimus.ietf.org>; Sun, 18 May 2003 14:16:28 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA14269 for <asrg@ietf.org>; Sun, 18 May 2003 14:47:22 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HTDd-0004p5-00 for asrg@ietf.org; Sun, 18 May 2003 14:49:13 -0400
Received: from 000-230-497.area5.spcsdns.net ([68.27.139.120] helo=68.27.139.120) by ietf-mx with smtp (Exim 4.12) id 19HTDb-0004p2-00 for asrg@ietf.org; Sun, 18 May 2003 14:49:12 -0400
Message-Id: <5.2.0.9.2.20030518144946.02f9ce00@solidmatrix.com>
X-Sender: research@solidmatrix.com
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
To: asrg@ietf.org
From: Yakov Shafranovich <research@solidmatrix.com>
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-MimeHeaders-Plugin-Info: v2.03.00
X-GCMulti: 1
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Sun, 18 May 2003 14:49:49 -0400

At 03:34 AM 5/18/2003 -0400, Kee Hinckley wrote:

>Vernon has regularly made the claim that a significant proportion of
>spam messages have valid MAIL FROM's.  That means that bounces will
>go the the spammer.  This has significant ramifications for C/R
>systems (especially auto-respond ones) since it means that should
>they have to, spammers could respond to challenges.
>
>To test this theory, I took a day's worth of bounce logs from
>somewhere.com (2003-05-15).  These should be fairly normal logs.
>There's been a bit of an upswing from a recent virus attack, but
>otherwise these are pretty normal bounce logs for somewhere.com.
>
>I ran a program which took each MAIL FROM address, parsed out the
>domain portion, looked up the MX record, and then connected to the
>SMTP port of the lowest numbered MX server.  I did a
>         HELO somewhere.com
>         MAIL FROM <postmaster+AntiSpamAddressVerification@somewhere.com>
>         RCPT TO <appropriate-address>
>         QUIT
>Note that a few sites bounced me at the HELO prompt (didn't like that
>I was on DSL, or that my name was somewhere.com).  A few bounced at
>the MAIL FROM (didn't like somewhere.com--and one claimed that +
>wasn't a legal email character).  But the number of either of those
>was pretty low (less than half a dozen).  I'll do a better job of
>recording those separately in the future.
>
>[.....]
>In general though, it appears that Vernon is correct.  If my sample
>is representative, a large percentage of spam is coming from real
>email addresses.

I see a problem with this testing strategy - an SMTP server is does not 
necessarily produce an error when receiving an RCPT TO command. See RFC 
2821, section 3.3:

----[snip]----
"However, in practice, some servers do not perform recipient verification 
until after the message text is received.  These servers    SHOULD treat a 
failure for one or more recipients as a "subsequent failure" and return a 
mail message as discussed in section 6.  Using a "550 mailbox not found" 
(or equivalent) reply code after the data are accepted makes it difficult 
or impossible for the client to   determine which recipients failed."
----[snip]----

And RFC 2821, Section 6.1.:

----[snip]----
"If there is a delivery failure after acceptance of a message, the 
receiver-SMTP MUST formulate and mail a notification message."
----[snip]----

Therefore, it is not possible to determine with certainty whether these 
accounts actually existed. A better testing strategy would actually send 
email to these accounts with the DATA command and watch for bounce 
messages. However, spammers can always choose to use a real email address 
as the return address and sending email to valid accounts in itself may be 
considered spam by the recipients.

Yakov

---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research@solidmatrix.com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------  

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg