IETF Logo Mail Archive

Re: [Asrg] Some data on the validity of MAIL FROM addresses

Scott Nelson <scott@spamwolf.com> Mon, 19 May 2003 03:28 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA24239 for <asrg-archive@odin.ietf.org>; Sun, 18 May 2003 23:28:17 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4J2v2Y27713 for asrg-archive@odin.ietf.org; Sun, 18 May 2003 22:57:02 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4J2v2B27710 for <asrg-web-archive@optimus.ietf.org>; Sun, 18 May 2003 22:57:02 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA24222; Sun, 18 May 2003 23:27:47 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HbLE-0006ui-00; Sun, 18 May 2003 23:29:36 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19HbLD-0006uf-00; Sun, 18 May 2003 23:29:35 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4J2qRB27609; Sun, 18 May 2003 22:52:27 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4J2pnB27588 for <asrg@optimus.ietf.org>; Sun, 18 May 2003 22:51:49 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id XAA24170 for <asrg@ietf.org>; Sun, 18 May 2003 23:22:34 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HbGB-0006tn-00 for asrg@ietf.org; Sun, 18 May 2003 23:24:23 -0400
Received: from adsl-66-120-64-133.dsl.snfc21.pacbell.net ([66.120.64.133] helo=magic1.org) by ietf-mx with smtp (Exim 4.12) id 19HbGA-0006tk-00 for asrg@ietf.org; Sun, 18 May 2003 23:24:22 -0400
Message-Id: <aT5vaIe86J8qbrFfW02@x>
To: asrg@ietf.org
From: Scott Nelson <scott@spamwolf.com>
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Sun, 18 May 2003 20:25:39 -0700

At 07:52 PM 5/18/03 -0600, Vernon Schryver wrote:
>> From: Michael Rubel <asrg@mikerubel.org>
>
>> ad> Even worse, there is no proven connection between the spam and the
>> ad> hotmail/yahoo account which is allegedly the sender.  The data are
>> ad> entirely consistent with spammers using lists of verified email
>> ad> addresses to forge 'From:' lines.
>>
>> vs> That would be make sense only if the number of hotmail/yahoo spam
>> vs> sender addresses were proportional to the number of hotmail/yahoo
>> vs> addresses among all targets of spam.
>
>
>> Wouldn't this objection only apply if you assume that spammers are
>> selecting MAIL FROM: addresses uniformly?  That is, if you assume each
>> address in their lists is given equal probability?
>
>That's my point.  Spam source addresses are obviously not uniformly
>distributed accross domain names.  Unless you make surprising
>assumptions about spam target addresses, they are not uniformly
>distributed accross those either.
>
>Why is that?  It cannot be because free provider mailboxes are harder
>to check for validity.  Many large corporate domain names give no
>indication that an invented address is bogus during the SMTP transaction.
>(Think about corporate MX servers and firewalls to see not only why
>that is but why it must be, at least as SMTP is practised today.)
>
>It also cannot be because free provider addresses are good sender
>addresses for spam, because a noticable albeit small minority of
>organizations are like Rhyolite Software and reject all mail
>apparently from strangers at free providers.  If you're going to
>pick a random domain name, it would be better to pick any of the
>Fortune 1000 not associated with a free provider.
>

I would expect that /if/ the majority of return addresses are forged, 
then the spammer would pick the domain at random from their collection
of lists.

If that's right, and if a lot of spam is being forged, 
(both are untested assumptions) 
then the majority of forged spam would come from the domains which
appear most often on the lists.  I.e. since there are many more 
"big domain" email addresses, they would get forged more often.
But the small domains would be forged sometimes.

So what domains /aren't/ showing up in spam?

I know striker.ottawa.on.ca has a lot of addresses on a lot of spam lists,
but checking the last 20,000 spams I received, not a single one 
has the word "striker" in it anywhere.
No fortune 1000 domains either.
For the addresses checked, there was only one exception to the rule that 
spam has a return address that can be purchased for less than $25.00 US,
and that exception is notable.
It's spamcop.net, who claims to have been joe-jobbed.


Scott Nelson <scott@spamwolf.com>

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.30.2 | Report a Bug | By Email | System Status