RE: [Asrg] Some data on the validity of MAIL FROM addresses

["Hallam-Baker, Phillip" <pbaker@verisign.com>]

The FROM address is being choosen to maximize the probability
the email is opened.

People trust what they know. They know AOL, Hotmail, yahoo.
It would be interesting to see whether the YAH addresses
decline over the next few months as they step up enforcement
on the legal front.


	Phill

> -----Original Message-----
> From: Scott Nelson [mailto:scott@spamwolf.com]
> Sent: Sunday, May 18, 2003 11:26 PM
> To: asrg@ietf.org
> Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
> 
> 
> At 07:52 PM 5/18/03 -0600, Vernon Schryver wrote:
> >> From: Michael Rubel <asrg@mikerubel.org>
> >
> >> ad> Even worse, there is no proven connection between the 
> spam and the
> >> ad> hotmail/yahoo account which is allegedly the sender.  
> The data are
> >> ad> entirely consistent with spammers using lists of verified email
> >> ad> addresses to forge 'From:' lines.
> >>
> >> vs> That would be make sense only if the number of 
> hotmail/yahoo spam
> >> vs> sender addresses were proportional to the number of 
> hotmail/yahoo
> >> vs> addresses among all targets of spam.
> >
> >
> >> Wouldn't this objection only apply if you assume that spammers are
> >> selecting MAIL FROM: addresses uniformly?  That is, if you 
> assume each
> >> address in their lists is given equal probability?
> >
> >That's my point.  Spam source addresses are obviously not uniformly
> >distributed accross domain names.  Unless you make surprising
> >assumptions about spam target addresses, they are not uniformly
> >distributed accross those either.
> >
> >Why is that?  It cannot be because free provider mailboxes are harder
> >to check for validity.  Many large corporate domain names give no
> >indication that an invented address is bogus during the SMTP 
> transaction.
> >(Think about corporate MX servers and firewalls to see not only why
> >that is but why it must be, at least as SMTP is practised today.)
> >
> >It also cannot be because free provider addresses are good sender
> >addresses for spam, because a noticable albeit small minority of
> >organizations are like Rhyolite Software and reject all mail
> >apparently from strangers at free providers.  If you're going to
> >pick a random domain name, it would be better to pick any of the
> >Fortune 1000 not associated with a free provider.
> >
> 
> I would expect that /if/ the majority of return addresses are forged, 
> then the spammer would pick the domain at random from their collection
> of lists.
> 
> If that's right, and if a lot of spam is being forged, 
> (both are untested assumptions) 
> then the majority of forged spam would come from the domains which
> appear most often on the lists.  I.e. since there are many more 
> "big domain" email addresses, they would get forged more often.
> But the small domains would be forged sometimes.
> 
> So what domains /aren't/ showing up in spam?
> 
> I know striker.ottawa.on.ca has a lot of addresses on a lot 
> of spam lists,
> but checking the last 20,000 spams I received, not a single one 
> has the word "striker" in it anywhere.
> No fortune 1000 domains either.
> For the addresses checked, there was only one exception to 
> the rule that 
> spam has a return address that can be purchased for less than 
> $25.00 US,
> and that exception is notable.
> It's spamcop.net, who claims to have been joe-jobbed.
> 
> 
> Scott Nelson <scott@spamwolf.com>
> 
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
> 
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg