IETF Logo Mail Archive

Re: [Asrg] Some data on the validity of MAIL FROM addresses

Vernon Schryver <vjs@calcite.rhyolite.com> Mon, 19 May 2003 15:53 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25036 for <asrg-archive@odin.ietf.org>; Mon, 19 May 2003 11:53:08 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4JFM8R27166 for asrg-archive@odin.ietf.org; Mon, 19 May 2003 11:22:08 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JFM8B27163 for <asrg-web-archive@optimus.ietf.org>; Mon, 19 May 2003 11:22:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA25027; Mon, 19 May 2003 11:52:38 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Hmy2-0004H8-00; Mon, 19 May 2003 11:54:26 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19Hmy2-0004Gy-00; Mon, 19 May 2003 11:54:26 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JFG6B26868; Mon, 19 May 2003 11:16:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JFF3B26831 for <asrg@optimus.ietf.org>; Mon, 19 May 2003 11:15:03 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id LAA24877 for <asrg@ietf.org>; Mon, 19 May 2003 11:45:18 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19Hmqw-0004E4-00 for asrg@ietf.org; Mon, 19 May 2003 11:47:06 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19Hmqq-0004Dv-00 for asrg@ietf.org; Mon, 19 May 2003 11:47:00 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h4JFlg5m009783 for asrg@ietf.org env-from <vjs>; Mon, 19 May 2003 09:47:42 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305191547.h4JFlg5m009783@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
References: <p0600123cbaee92124128@[192.168.1.104]>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 19 May 2003 09:47:42 -0600

> From: Kee Hinckley <nazgul@somewhere.com>

> >I would expect that /if/ the majority of return addresses are forged,
> >then the spammer would pick the domain at random from their collection
> >of lists.
>
> As I noted in my mail.  This appears to be happening now--although I 
> had not seen symptoms of it before.  Is anyone else starting to see 
> low-level occasional bounce back from spam?
>
> Prior to that, all of the bounce-back instances I had heard of or 
> experienced (and I used to get one or two a week) were major--where 
> the entire spam load got sent out with the same return address.

For more than a year I've heard from ISPs asking how to make the DCC
filter such bounces because they upset users.  For years there have
been occassional reports in news.admin.net-abuse.email of such bounces
and speculations that some spammers apply the obvious tactic of using
their target lists for their sender addresses.  I've occassionally
received such bounces.  The question isn't whether it happens, since
that's long settled, but how often it happens, and what if anything
people trying to stop spam should do in response.

Spam characteristics ebb and flow.  It's important to avoid making
generalizations from a single wave or one high tide.  Two or three weeks
ago I was seeing a more forged senders in my traps.  Within the last
week, that wave has broken and I've noticed an increase in spammer using
their own domains in Mail_From values.  I could speculate that sounds
from the FTC and New York have motivated a shift in tactics or that
Hotmail or Yahoo are doing something, but that would only be speculation.

Other recent waves include:

  - base64 encoding increased so much a month or two ago that I added
     special hand tools to the set I use to watch my spam traps.
     Those tools became important.  This week I've rarely used them.

  - the wave of <!-->HTML comment<--> spam has definitely crested.

  - some recent spam contains HTTP HREF URLs of the form
     http://xxx.example.com__foobar
    Does some HTML-aware MUA treat '__' like '/'?

  - some recent spam contains several purely garbage URLs in HREFs or
   two valid ones.  They're not even hidden (e.g. <A HREF="asdf"></A>)
   What's the point of telling spam targets to "click on this" when it
   is pure garbage?

  - I've finally seen what others have mentioned, "hashbusters" in
   HTML tables instead of bounded by <font></font> or other screens.
   The tables look perfectly valid and so visible to spam targets.
   So what's the point?


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.30.2 | Report a Bug | By Email | System Status