RE: [Asrg] TitanKey and "white lies"... (Faking SMTP hard errors "improves" C/R utility?)

[Barry Shein <bzs@world.std.com>]

On May 30, 2003 at 17:30 vjs@calcite.rhyolite.com (Vernon Schryver) wrote:
 > > At any rate, I wholeheartedly agree that it'd be nice to come to a
 > > meeting of them minds viz spammers' modus operandi.
 > 
 > A difference between spammers and the sun is that we know that spammers
 > have frequently changed in recent past.  If you look at much of the
 > spam you've often complained about, you know that every week brings
 > at least one new spammer trick.

I agree 100%, or at least 87.345%.

 > For example, I've recently seen a
 > new variation of the familiar quoted-printable tactics of obscuring
 > domain names in bodies.  The change looks like new spamware.  There
 > was also the use of a dotted hex quad to hide IP addresses which is
 > new only in the sense that I'd not seen it for many months.

I've lately been seeing them rotating case of domains between msgs and
then base64 encoding that,

	<A HREF="http://wWw.HoOp-dirECT.com">

	<A HREF="http://WwW.hOoP-DIrEcT.com">

which makes it harder to just match on the base64 encoding.

 > Say that you did find that 87.345% (or whatever) of all spammers today
 > respond to 550's.  Instead of sarcasm, please say what you would
 > conclude about next month.  How much money would you bet on your answer?
 > 
 > 
 > > Since World's mail queues are forever flooded with spam trying to
 > > bounce back, mostly with User Unknowns, and never get anywhere since
 > > the apparent returned host isn't interested my impressions are based
 > > on a little more than hearsay.
 > 
 > We all so strongly suspect that *some* spammers don't honor 550s that
 > we know it.  However, the fact that you see zillions of bounces is
 > not evidence for our common knowledge.  As stated, your impression is
 > worse than hearsay, because it does not exclude other obvious explanations.
 > 
 > You are doing something bad by insisting that current knowledge about
 > something we know spammers could easily change and have changed is
 > the same sort of knowledge as whether the sun will rise tomorrow.
 > Worse is your demand for belief in your version of the ephemeris based
 > only vague references to your enormous experience and authority.
 > Please don't just mention your mail queues' floods, but say what you
 > see in a way that can be falsified.
 > 
 > It is a waste to try to stop what you wish spammers would do or what
 > they once did.  If you want that uselessness, you could write a simple
 > filter to reject mail with senders considering of a 8-digit username
 > @aol.com.  I trust you remember when most spam fit that profile.

Don't you have the positive and negative propositions swapped here?

I said I doubt handing spammers 5xx's is going to do much good in the
long run, probably won't do much good now either.

I think it's up to someone asserting that handing them 5xx's will do
some good to support their assertion.

In general it seems more conservative to assume that if there's an
easy way around a "block" (e.g., ignore those 5xx's) a spammer will
take it.

The only exception I see off-hand are gray-area spammers who might be
subject to IP blocking, or those who use spamhauses, or similar, so
are concerned about sites which block IPs when they produce too many
User Unknowns.

Anyhow, an empirical method to see if this approach works at all, not
that I see how it really fits in to the big picture (if you already
know it's spam and thus to respond with 5xx then the problem is solved
already, no?), has been proposed here now.

-- 
        -Barry Shein

Software Tool & Die    | bzs@TheWorld.com           | http://www.TheWorld.com
Purveyors to the Trade | Voice: 617-739-0202        | Login: 617-739-WRLD
The World              | Public Access Internet     | Since 1989     *oo*
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg