IETF Logo Mail Archive

RE: [Asrg] Some data on the validity of MAIL FROM addresses

Vernon Schryver <vjs@calcite.rhyolite.com> Mon, 19 May 2003 21:53 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA07065 for <asrg-archive@odin.ietf.org>; Mon, 19 May 2003 17:53:04 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4JLMCY21187 for asrg-archive@odin.ietf.org; Mon, 19 May 2003 17:22:12 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JLMBB21184 for <asrg-web-archive@optimus.ietf.org>; Mon, 19 May 2003 17:22:11 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA07058; Mon, 19 May 2003 17:52:34 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HsaM-0006r6-00; Mon, 19 May 2003 17:54:22 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19HsaL-0006r3-00; Mon, 19 May 2003 17:54:21 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JLH3B20985; Mon, 19 May 2003 17:17:03 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4JLG8B20956 for <asrg@optimus.ietf.org>; Mon, 19 May 2003 17:16:08 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA06958 for <asrg@ietf.org>; Mon, 19 May 2003 17:46:30 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HsUU-0006pd-00 for asrg@ietf.org; Mon, 19 May 2003 17:48:18 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19HsUT-0006pU-00 for asrg@ietf.org; Mon, 19 May 2003 17:48:17 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h4JLnYXx027185 for asrg@ietf.org env-from <vjs>; Mon, 19 May 2003 15:49:34 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305192149.h4JLnYXx027185@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: RE: [Asrg] Some data on the validity of MAIL FROM addresses
References: <MBEKIIAKLDHKMLNFJODBCENDFDAA.eric@purespeed.com>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Mon, 19 May 2003 15:49:34 -0600

> From: "Eric Dean" <eric@purespeed.com>

> > >  For example, if 90% of spam is forged, then RMX, C/R, and
> > > authentication schemes could do a lot against spam (modulo their
> > > other problems).
>
> It's not a large step to estimate that 90% of spam is forged.

What justifies that step?  The available numbers and simple logic seem
to say that something quite different.


> 1) However, much of that spam can be filtered using simple sender domain
> checks.  Many spammers use bogus domains and maybe 5-10% of spam is dropped
> accordingly.

That's not what I see.  About 192 or 0.6% of the last 27,972 spam
caught by my traps had bogus sender domain names.  Since modern
versions of sendmail and other MTAs usually require that the sender
domain exist, the surprise is that even that small amount of spam
has bogus sender domains.


> 2) The next value is to do a HELO hostname check..about 10-20% is dropped as
> well.  However, there are casualities for very large companies...such as
> bellsouth and verizon whereby I have to punch holes in my filters.
> 3) Then I could be more aggressive and apply a reverse-dns check on the
> initiating source IP.  Doing so is also effective, however, all DSL and
> carrier Dial networks in-addr their IP pools...yet many mail admins don't.
> I have aout another 5-10% of my spam come from unresolved IPs..but instantly
> the phones light up..cost me money..and I'm out of business.  The tough-love
> approach is suicidal stupidity.
> 4) Then OK, so now we go with RBL, to identify the pools..that'll
> work..costs non-trivial money..but it works for that flavor of spam..maybe
> 5%.

Are those numbers based on measurements or intuition?


> ...
> My lesson in futility was that the only successful anti-spam method is a
> distributed one.

I like the word "distributed," but I don't understand that reasoning.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.31.3 | Report a Bug | By Email | System Status