Re: [Asrg] Horses

Ian Eiloart <> Tue, 23 June 2009 11:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EDC4B28C2B8 for <>; Tue, 23 Jun 2009 04:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kt5x5N7QC1w9 for <>; Tue, 23 Jun 2009 04:42:08 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id DCD473A6D0F for <>; Tue, 23 Jun 2009 04:42:07 -0700 (PDT)
Received: from ([]:56947) by with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <>) id KLOWJ7-000FXF-BY for; Tue, 23 Jun 2009 12:42:43 +0100
Date: Tue, 23 Jun 2009 12:42:23 +0100
From: Ian Eiloart <>
To: Anti-Spam Research Group - IRTF <>
Message-ID: <>
In-Reply-To: <>
References: <>
Originator-Info: login-token=Mulberry:01gjhB9euZr1rDpZVX7l71rbRo6LBiT+Ve96M=;
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] Horses
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <>
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 23 Jun 2009 11:42:09 -0000

--On 22 June 2009 13:04:29 -0500 Gordon Peterson <> wrote:

>  > Yes, that's why we've been working on mail authentication a la DKIM for
> The point being that Aunt Martha's machine can be compromised, such that
> even with her own IP, her habitual outgoing mail server, and her valid
> credentials, it might still be shipping spam.  It's not enough that it
> LOOKS like (or even IS) coming from her...

If Aunt Martha's spamming me, then I'll know it from the content. I can 
then help her fix the problem, provided the authentication tells me that 
her credentials have been used. Otherwise, I'll just put it down to 

If I don't know Aunt Martha, I'll still want to alert her or her ISP that 
she's spamming. I don't care who the owner of the botnet is, it's Aunt 
Martha that can fix her machine.

> just as it's not enough to see
> that mail has your friend's return E-mail address if it's actually
> Grouply spam.  It's far better to see whether the incoming e-mail with
> Martha's return address has all the typical things that Aunt Martha's
> mail messages ACTUALLY HAVE (for example, does it use the 'stationery'
> that she maybe 'always' uses?)  Again, this is analogous to what humans
> actually do when considering a suspect incoming e-mail message... does it
> look the way you'd expect mail FROM THAT SENDER to actually look?  What
> yellow or red flags is it flying?  This requires looking at the content,
> too.

Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see