Re: [Asrg] What are the IPs that sends mail for a domain?

Ian Eiloart <iane@sussex.ac.uk> Thu, 02 July 2009 10:24 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 4A67F3A67D2 for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 03:24:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.781
X-Spam-Level:
X-Spam-Status: No, score=-1.781 tagged_above=-999 required=5 tests=[AWL=-0.578, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9keaIXEmm6iy for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 03:24:14 -0700 (PDT)
Received: from sivits.uscs.susx.ac.uk (sivits.uscs.susx.ac.uk [139.184.14.88]) by core3.amsl.com (Postfix) with ESMTP id 633503A6D38 for <asrg@irtf.org>; Thu, 2 Jul 2009 03:23:58 -0700 (PDT)
Received: from seana-imac.staff.uscs.susx.ac.uk ([139.184.132.137]:58795) by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KM5GWD-000IT8-9K for asrg@irtf.org; Thu, 02 Jul 2009 11:24:13 +0100
Date: Thu, 02 Jul 2009 11:23:53 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk>
In-Reply-To: <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk> <20090701150032.GB15652@verdi> <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com>
Originator-Info: login-token=Mulberry:01HNw9DYU9q3JdSZFviAKPUbCAglReZ38CkUc=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 10:24:17 -0000

--On 1 July 2009 11:12:13 -0400 Dotzero <dotzero@gmail.com> wrote:

> On Wed, Jul 1, 2009 at 11:00 AM, John Leslie<john@jlc.net> wrote:
>>
>>   That's closer... But I'd argue that no SPF construct "authorizes"
>> sending email. In practice, I think it's quite clear that SPF constructs
>> merely express probabilities.
>>
>
> What is the probability that you will receive legitimate email
> originating from ibm.com?
>
> ibm.com text = "v=spf1 -all"

Nil. They don't use the domain for outbound email. They use country 
specific subdomains like @uk.ibm.com.

I'm not sure why they publish MX records for @ibm.com - perhaps they have 
some initial contact addresses @ibm.com, but don't reply using that domain.

It's very sensible of them to use the -all spf record, adding a little 
protection for their brand reputation.

Alternatively, this is a massive cock-up and a huge potential 
embarrassment. I don't think so, though. Our logs from June show no inbound 
email (either accepted or rejected) from the @ibm.com domain, but
a few dozen emails from @uk.ibm.com and some from the 'be', 'ca', 'us', 
'jp', 'hu' subdomains of ibm.com.

Exercise for the reader: why aren't spammers using the @ibm.com domain?
-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/