Re: [Asrg] Horses

Ian Eiloart <iane@sussex.ac.uk> Tue, 23 June 2009 11:42 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC4B28C2B8 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 04:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.549
X-Spam-Level:
X-Spam-Status: No, score=-2.549 tagged_above=-999 required=5 tests=[AWL=0.050, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kt5x5N7QC1w9 for <asrg@core3.amsl.com>; Tue, 23 Jun 2009 04:42:08 -0700 (PDT)
Received: from sivits.uscs.susx.ac.uk (sivits.uscs.susx.ac.uk [139.184.14.88]) by core3.amsl.com (Postfix) with ESMTP id DCD473A6D0F for <asrg@irtf.org>; Tue, 23 Jun 2009 04:42:07 -0700 (PDT)
Received: from lewes.staff.uscs.susx.ac.uk ([139.184.134.43]:56947) by sivits.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KLOWJ7-000FXF-BY for asrg@irtf.org; Tue, 23 Jun 2009 12:42:43 +0100
Date: Tue, 23 Jun 2009 12:42:23 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <A30994B494C335E908DD9AC1@lewes.staff.uscs.susx.ac.uk>
In-Reply-To: <4A3FC7AD.2060307@terabites.com>
References: <4A3FC7AD.2060307@terabites.com>
Originator-Info: login-token=Mulberry:01gjhB9euZr1rDpZVX7l71rbRo6LBiT+Ve96M=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] Horses
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2009 11:42:09 -0000

--On 22 June 2009 13:04:29 -0500 Gordon Peterson <gep2@terabites.com> wrote:

>
>  > Yes, that's why we've been working on mail authentication a la DKIM for
>
> The point being that Aunt Martha's machine can be compromised, such that
> even with her own IP, her habitual outgoing mail server, and her valid
> credentials, it might still be shipping spam.  It's not enough that it
> LOOKS like (or even IS) coming from her...

If Aunt Martha's spamming me, then I'll know it from the content. I can 
then help her fix the problem, provided the authentication tells me that 
her credentials have been used. Otherwise, I'll just put it down to 
spoofing.

If I don't know Aunt Martha, I'll still want to alert her or her ISP that 
she's spamming. I don't care who the owner of the botnet is, it's Aunt 
Martha that can fix her machine.

> just as it's not enough to see
> that mail has your friend's return E-mail address if it's actually
> Grouply spam.  It's far better to see whether the incoming e-mail with
> Martha's return address has all the typical things that Aunt Martha's
> mail messages ACTUALLY HAVE (for example, does it use the 'stationery'
> that she maybe 'always' uses?)  Again, this is analogous to what humans
> actually do when considering a suspect incoming e-mail message... does it
> look the way you'd expect mail FROM THAT SENDER to actually look?  What
> yellow or red flags is it flying?  This requires looking at the content,
> too.
>



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/