Re: [Asrg] What are the IPs that sends mail for a domain?

Ian Eiloart <iane@sussex.ac.uk> Thu, 02 July 2009 16:46 UTC

Return-Path: <iane@sussex.ac.uk>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id F3A473A6C01 for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:46:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.443
X-Spam-Level:
X-Spam-Status: No, score=-2.443 tagged_above=-999 required=5 tests=[AWL=0.156, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FrxIqUmLxIOe for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:46:41 -0700 (PDT)
Received: from lynndie.uscs.susx.ac.uk (lynndie.uscs.susx.ac.uk [139.184.14.87]) by core3.amsl.com (Postfix) with ESMTP id B61363A6D84 for <asrg@irtf.org>; Thu, 2 Jul 2009 09:43:54 -0700 (PDT)
Received: from seana-imac.staff.uscs.susx.ac.uk ([139.184.132.137]:61387) by lynndie.uscs.susx.ac.uk with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.64) (envelope-from <iane@sussex.ac.uk>) id KM5YJO-000H5O-NI for asrg@irtf.org; Thu, 02 Jul 2009 17:45:24 +0100
Date: Thu, 02 Jul 2009 17:44:03 +0100
From: Ian Eiloart <iane@sussex.ac.uk>
Sender: iane@sussex.ac.uk
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
Message-ID: <99C83E3C60B16E2C2037C7C5@seana-imac.staff.uscs.susx.ac.uk>
In-Reply-To: <4A4CE00D.3020802@nortel.com>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk> <20090701150032.GB15652@verdi> <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com> <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk> <4A4CDB33.9000908@billmail.scconsult.com> <4A4CE00D.3020802@nortel.com>
Originator-Info: login-token=Mulberry:01T60zx7gOoSyQGocpu9PCIqY6tSVUIbLTxBg=; token_authority=support@its.sussex.ac.uk
X-Mailer: Mulberry/4.0.8 (Mac OS X)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-Sussex: true
X-Sussex-transport: remote_smtp
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 16:46:43 -0000

--On 2 July 2009 12:27:57 -0400 Chris Lewis <clewis@nortel.com> wrote:

> Bill Cole wrote:
>> Ian Eiloart wrote, On 7/2/09 6:23 AM:
>
>>> Exercise for the reader: why aren't spammers using the @ibm.com domain?
>>
>> You provided the answer before the question.
>
> Somewhat.  Because spammers _are_ using @ibm.com too.  I got samples ;-)

Ok, but it's trivial to reject them after checking SPF.

> Anybody saying "spammers don't do X" and "spammers do X" are wrong at
> least some of the time.  Except for the obvious tautology that "spammers
> spam".
>
>> Forged sender addresses are predominantly harvested rather than purely
>> invented or recombinantly assembled.
>
> IOW: the biggest asset spammers have is lists of potential spam victim's
> email addresses.
>
> What better place to get the email addresses to forge as sender than from
> the exact same list?  Is it so hard to imagine that a bot might do this
> or some variation?
>
> 1) Read a bunch of addresses
> 2) Spam the bunch of addresses, forged with one of the bunch as sender
> 3) Goto step 1
>
> Various corollaries:
>
> - If you get spam, you're probably being forged as sender in other spam.
>
> - If they're hitting valid addresses, then there will be blowback _to_
> valid addresses.
> _______________________________________________
> Asrg mailing list
> Asrg@irtf.org
> http://www.irtf.org/mailman/listinfo/asrg



-- 
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/