Re: [Asrg] spam down?

Dotzero <> Wed, 30 January 2013 19:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 2B4FA21F84FC for <>; Wed, 30 Jan 2013 11:15:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.285
X-Spam-Status: No, score=-2.285 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_MILLIONSOF=0.315]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 6teihdExAmoM for <>; Wed, 30 Jan 2013 11:15:40 -0800 (PST)
Received: from ( [IPv6:2a00:1450:4010:c03::22e]) by (Postfix) with ESMTP id 195F521F8886 for <>; Wed, 30 Jan 2013 11:15:39 -0800 (PST)
Received: by with SMTP id fq12so1395277lab.19 for <>; Wed, 30 Jan 2013 11:15:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:content-type; bh=TrD/4Y0fEWqkm4pjcWbfQwBu/QCHJuQ4YjtBj6+cs2s=; b=hJRBrD5AdQiF32sMN8N0hz0H38C+3eX2ZfnatHSrDEoXubQni/6nVzvxrtx63IENLm BthO2MsfBVh25Q36/NQS+kMqg/QQ7Y1eYj1wp8HWy3Bsv3rm4R2q1b5F2mz12f/gW0wU Czf72pJEEHm2a+vOF/Bfn1Kw3Q7nQex5GNGXM+jHMVJ6JgunYFOYGuDW3l5eXLq2zmUc 5wgaD4U+B6993C4HpbxqEamRdrtJIzea+VvzWAPld19bzLTPR+4cGMxcjLsQtN4eUQFE 49f38CKvwTACWt/sZX1iNn18NmGGrK8U7yeqDq0XVmzR448Mtak4XT4KWGdns5mLExRW ZrOw==
MIME-Version: 1.0
X-Received: by with SMTP id s3mr2296224lba.113.1359573325944; Wed, 30 Jan 2013 11:15:25 -0800 (PST)
Received: by with HTTP; Wed, 30 Jan 2013 11:15:25 -0800 (PST)
In-Reply-To: <>
References: <> <> <> <>
Date: Wed, 30 Jan 2013 14:15:25 -0500
Message-ID: <>
From: Dotzero <>
To: Anti-Spam Research Group - IRTF <>
Content-Type: text/plain; charset=ISO-8859-1
Subject: Re: [Asrg] spam down?
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 30 Jan 2013 19:15:41 -0000

On Wed, Jan 30, 2013 at 10:40 AM, Chris Lewis <> wrote:
> On 13-01-30 09:27 AM, Dotzero wrote:
>> I think it depends on what you mean by "relatively little effect".
>>>From my perspective - given the current statof adoption - it may not
>> have an effect on the overall ecosystem but it is certainly pushing
>> the bad guys from abusing (sending) domains that are implementing
>> strong email auth efforts to ones that are not.
> If that were true, I wouldn't be seeing millions of paypal, linkedin,
> et. al. impersonations a day.  But I do.

No difference in the nature/behavior in the spamming? I can't speak
for other brands in terms of the effect of email
authentication/validation but I have seen it make a difference for our
brands/domains. I know anecdotally that other brands have said the
same. This is why I wrote that "it depends on what you mean by
relatively little effect". I think we all know that spam/phishing is
all about the social engineer. That means there will be some amount of
friction pushing bad folks away from high value targets they wish to
leverage. When I've looked in the past I've seen differentiation in
abuse comparing financials that are aggressive in fighting abuse vs
those that are less clueful.

> Validation is so irrelevant that the spammers impersonate sites when
> it's clearly unnecessary.  They use their facebook impersonation
> templates to send out pill spam for crissakes.  If validation was making
> a difference, the ROI would suffer.  I can only guess it isn't.
> The reality is that you don't have to forge the From/sender/helo et. al.
> to successfully impersonate any domain.  Especially with the mail
> readers oh-so-carefully _not_ showing you the actual email address.

You are assuming that the place of email auth is at the MUA and let
the recipient figure it out. That IS an epic fail. And I agree with
you that showiing the display name and hiding the email address is

>> It would be interesting to see (I don't have the data) if there is any
>> kind of shift from sending spam targeting accounts at mailbox
>> providers that validate to targeting (preferentially) accounts at
>> mailbox providers that don't.
> Most spoofers are already bypassing validation.  So why would it matter
> to them whether the mailbox provider is validating or not?

So I take it you aren't a fan of email authentication at all. I think
we'll have to agree to disagree.