IETF Logo Mail Archive

Re: [Asrg] Is there anything good enough? - Spoofing stats

Vernon Schryver <vjs@calcite.rhyolite.com> Wed, 07 May 2003 18:29 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11536 for <asrg-archive@odin.ietf.org>; Wed, 7 May 2003 14:29:49 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h47IctD11335 for asrg-archive@odin.ietf.org; Wed, 7 May 2003 14:38:55 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h47Ict811332 for <asrg-web-archive@optimus.ietf.org>; Wed, 7 May 2003 14:38:55 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11522; Wed, 7 May 2003 14:29:19 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DThL-0003fY-00; Wed, 07 May 2003 14:31:23 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19DThL-0003fV-00; Wed, 07 May 2003 14:31:23 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h47IY6810000; Wed, 7 May 2003 14:34:06 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h47IUN809600 for <asrg@optimus.ietf.org>; Wed, 7 May 2003 14:30:23 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id OAA11100 for <asrg@ietf.org>; Wed, 7 May 2003 14:20:47 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19DTZ6-0003Yg-00 for asrg@ietf.org; Wed, 07 May 2003 14:22:52 -0400
Received: from calcite.rhyolite.com ([192.188.61.3]) by ietf-mx with esmtp (Exim 4.12) id 19DTZ4-0003Yb-00 for asrg@ietf.org; Wed, 07 May 2003 14:22:50 -0400
Received: (from vjs@localhost) by calcite.rhyolite.com (8.12.9/8.12.9) id h47INdw4029570 for asrg@ietf.org env-from <vjs>; Wed, 7 May 2003 12:23:39 -0600 (MDT)
From: Vernon Schryver <vjs@calcite.rhyolite.com>
Message-Id: <200305071823.h47INdw4029570@calcite.rhyolite.com>
To: asrg@ietf.org
Subject: Re: [Asrg] Is there anything good enough? - Spoofing stats
References: <200305071058.57835@grx>
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Wed, 07 May 2003 12:23:39 -0600

> From: David Walker <antispam@grax.com>

> ...
> 1300 out of 3130 = 41% of all my denies are very high likelyhood spoofs from 
> the popular domains
> 1050 out of 3130 = 34% are guaranteed spoofs (The helo name is not remotely 
> associated with the spoofed domain) from the popular domains.
> ...

What is your definition of "spoof" besides "HELO not remotely
associated with sender domain"?  Does you definition involve the
use of a sending address that is not the property of the sender?

Many perfectly legitimate owners of netscape.com and other free
provider mailboxes uses those addresses as sender addresses in
their mail but send mail from unrelated ISPs.  Sometimes they do
this to avoid exposing their more private addresses to spam.  In
other cases port-25 filtering or other problems prevent them from
sending mail except through the unrelated ISP.

If your definition of "spoofed domain" includes the notion that
the spoofed address is not perfectly legitimately and own by the
user sending the message, what would you suggest to those innocent
people?  By turning off the mail of those innocent people, would
RMX be creating problems?

If your definition includes some notion of forgery, how do you know
whether a message with unrelated sender address and reverse DNS domains
is spoofed or forged?  Do you have some way to ask the administrators
of the "spoofed" domain about the sender address?

I've recently seen a lot of spam with sender addresses in all of the
domains in your list.  Most of the names in your list are free providers,
but some are not.  I bet that much and probably most of the spam you've
seen with free provider sending address is not forged.  I've suspected
that spam with sender addresses from earthlink.net, msn.com, and aol.com
are forged, but how can anyone outside those organizations know?
Reading between the lines of today's front page "Wall Street Journal"
article suggests that much of the Earthlink spam may not be forged
in any real sense of the word.

See http://online.wsj.com/article/0,,SB105225593382372600,00.html if
you have a subscription.  The title is "Elusive Spammer Sends EarthLink
on Long Chase."  I've been unable to find the article on Google or
Yahoo, but it might appear there later this week.


Vernon Schryver    vjs@rhyolite.com
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

v2.23.0 | Report a Bug | By Email