IETF Logo Mail Archive

RE: [Asrg] Some data on the validity of MAIL FROM addresses

Kee Hinckley <nazgul@somewhere.com> Fri, 23 May 2003 21:49 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA27163 for <asrg-archive@odin.ietf.org>; Fri, 23 May 2003 17:49:45 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4NLnJA02984 for asrg-archive@odin.ietf.org; Fri, 23 May 2003 17:49:19 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4NLnJB02981 for <asrg-web-archive@optimus.ietf.org>; Fri, 23 May 2003 17:49:19 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA27154; Fri, 23 May 2003 17:49:15 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19JKOF-0002wQ-00; Fri, 23 May 2003 17:47:51 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19JKOE-0002wN-00; Fri, 23 May 2003 17:47:50 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4NLhOB02799; Fri, 23 May 2003 17:43:24 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4NLgpB02776 for <asrg@optimus.ietf.org>; Fri, 23 May 2003 17:42:51 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA27048 for <asrg@ietf.org>; Fri, 23 May 2003 17:42:47 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19JKHz-0002uL-00 for asrg@ietf.org; Fri, 23 May 2003 17:41:23 -0400
Received: from www.somewhere.com ([66.92.72.194] helo=somewhere.com) by ietf-mx with esmtp (Exim 4.12) id 19JKHy-0002uI-00 for asrg@ietf.org; Fri, 23 May 2003 17:41:23 -0400
Received: from [66.92.72.194] (account nazgul HELO [192.168.1.104]) by somewhere.com (CommuniGate Pro SMTP 3.5.7) with ESMTP-TLS id 2382813; Fri, 23 May 2003 16:42:50 -0500
Mime-Version: 1.0
X-Sender: nazgul@somewhere.com@pop.messagefire.com
Message-Id: <p0600130fbaf441d4ad93@[192.168.1.104]>
In-Reply-To: <16076.18492.891355.676339@world.std.com>
References: <01C31F2F.24E92910.eric@infobro.com> <16076.18492.891355.676339@world.std.com>
To: Barry Shein <bzs@world.std.com>
From: Kee Hinckley <nazgul@somewhere.com>
Subject: RE: [Asrg] Some data on the validity of MAIL FROM addresses
Cc: asrg@ietf.org
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Fri, 23 May 2003 17:29:45 -0400

At 11:47 PM -0400 5/21/03, Barry Shein wrote:
>  > > As I noted in my mail.  This appears to be happening now--although I
>  > > had not seen symptoms of it before.  Is anyone else starting to see
>  > > low-level occasional bounce back from spam?
>  > >
>  > > Prior to that, all of the bounce-back instances I had heard of or
>  > > experienced (and I used to get one or two a week) were major--where
>  > > the entire spam load got sent out with the same return address.
>
>Could this be that spammer tactic where they pair names and forge the
>From: to appear to be coming from someone they think you might have
>whitelisted?

I've seen pairing, although it could just be pairing by domain, 
rather than a database of pairs.

The other thing I've noticed is spam coming in for several users at a 
host, with the subject customized for one of them.  So the spammer is 
doing some limited amount of per-user customization, but rather than 
send 10 messages to a single server, they are sending one message to 
all recipients at that server.  Only one of the recipients gets the 
correct customization.

What I find particularly intriguing about the above was that the 
recipients were per mail *server*, not domain.  In other words, I 
would get a single spam message with multiple recipients, one of whom 
was at hinckley.com, and another at somewhere.com.  The only 
relationship being that they share the same mail server.  So someone 
is pre-sorting their spam database by MX records, and then doing 
form-based mailings to the first recipient for the given MX.  A 
compromise between speed and attractiveness of the message.
-- 
Kee Hinckley
http://www.messagefire.com/          Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.30.2 | Report a Bug | By Email | System Status