Re: [Asrg] Some data on the validity of MAIL FROM addresses

Fred Bacon <bacon@aerodyne.com> Sun, 18 May 2003 17:00 UTC

Received: from www1.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA12722 for <asrg-archive@odin.ietf.org>; Sun, 18 May 2003 13:00:21 -0400 (EDT)
Received: (from mailnull@localhost) by www1.ietf.org (8.11.6/8.11.6) id h4IGSsk23267 for asrg-archive@odin.ietf.org; Sun, 18 May 2003 12:28:54 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IGSsB23264 for <asrg-web-archive@optimus.ietf.org>; Sun, 18 May 2003 12:28:54 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12700; Sun, 18 May 2003 12:59:51 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HRXZ-0004St-00; Sun, 18 May 2003 13:01:41 -0400
Received: from ietf.org ([132.151.1.19] helo=www1.ietf.org) by ietf-mx with esmtp (Exim 4.12) id 19HRXY-0004Sp-00; Sun, 18 May 2003 13:01:40 -0400
Received: from www1.ietf.org (localhost.localdomain [127.0.0.1]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IGONB23194; Sun, 18 May 2003 12:24:23 -0400
Received: from ietf.org (odin.ietf.org [132.151.1.176]) by www1.ietf.org (8.11.6/8.11.6) with ESMTP id h4IGNHB23164 for <asrg@optimus.ietf.org>; Sun, 18 May 2003 12:23:17 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id MAA12649 for <asrg@ietf.org>; Sun, 18 May 2003 12:54:14 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19HRS8-0004S4-00 for asrg@ietf.org; Sun, 18 May 2003 12:56:04 -0400
Received: from mailman.aerodyne.com ([64.2.129.98]) by ietf-mx with esmtp (Exim 4.12) id 19HRS7-0004Rz-00 for asrg@ietf.org; Sun, 18 May 2003 12:56:03 -0400
Received: from benji.aerodyne.com (localhost [127.0.0.1]) by mailman.aerodyne.com (8.12.9/8.12.9) with ESMTP id h4IGvf6A031306; Sun, 18 May 2003 12:57:43 -0400
Received: from shamus.aerodyne.com (shamus.aerodyne.com [198.4.242.243]) by benji.aerodyne.com (8.12.9/8.12.5) with ESMTP id h4IGux4r009986; Sun, 18 May 2003 12:56:59 -0400
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
From: Fred Bacon <bacon@aerodyne.com>
To: Kee Hinckley <nazgul@somewhere.com>
Cc: asrg@ietf.org
In-Reply-To: <p06001254baeb12ff775c@[192.168.1.104]>
References: <p06001254baeb12ff775c@[192.168.1.104]>
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-F0jHMDmI5G/669ww8WmI"
Organization: Aerodyne Research, Inc.
Message-Id: <1053277002.3851.31.camel@shamus.aerodyne.com>
Mime-Version: 1.0
X-Mailer: Ximian Evolution 1.2.2 (1.2.2-5)
X-Spam-Tests: No. hits=-8 required=5 test=EMAIL_ATTRIBUTION, IN_REP_TO, PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT, REFERENCES, REPLY_WITH_QUOTES, USER_AGENT_XIMIAN
X-Scanned-By: MIMEDefang 2.33 (www . roaringpenguin . com / mimedefang)
Sender: asrg-admin@ietf.org
Errors-To: asrg-admin@ietf.org
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
List-Archive: <https://www1.ietf.org/pipermail/asrg/>
Date: Sun, 18 May 2003 12:56:42 -0400

On Sun, 2003-05-18 at 03:34, Kee Hinckley wrote:
> Vernon has regularly made the claim that a significant proportion of 
> spam messages have valid MAIL FROM's.  That means that bounces will 
> go the the spammer.  This has significant ramifications for C/R 
> systems (especially auto-respond ones) since it means that should 
> they have to, spammers could respond to challenges.
> 
> To test this theory, I took a day's worth of bounce logs from 
> somewhere.com (2003-05-15).  These should be fairly normal logs. 
> There's been a bit of an upswing from a recent virus attack, but 
> otherwise these are pretty normal bounce logs for somewhere.com. 
> These are for addresses that do not, and have never, existed. 
> Because they got on the spammer's lists primarily because someone 
> entered the address on a web site, they get a mix of "true" spam and 
> just standard bulk mail.  However if they bulkmailers are doing their 
> job, those addresses should be removed fairly quickly.  If they 
> aren't removing on bounces--then they look and smell a lot like 
> spammers.

<snip>

> In general though, it appears that Vernon is correct.  If my sample 
> is representative, a large percentage of spam is coming from real 
> email addresses.
> 
> I'll be making this data (and hopefully live update's to it) 
> available on the web, hopefully in the next few days.

I nice idea, but what we really need is the script you used to analyze
your logs.  Then additional data can be collected at a variety of
locations.  

I realize that there are many on this list who find data collection to
be pointless, but Kee Hinckley has shown this to be incorrect.  Vernon
Schryver's assertions were useless (even if correct) without hard
evidence, and Kee's data is insufficient without wider deployment.

Likewise, Vernon's followup that Kee is analyzing a different statement
than Vernon asserted is a legitimate concern.  The data analysis
methodology should be publicly vetted to ensure that it is providing
meaningful and acurate data.

Paul, is it possible for the www.irtf.org/asrg website to host log
analysis tools?  This is directly applicable to the list of Work Items.

-- 
Fred Bacon <bacon@aerodyne.com>
Aerodyne Research, Inc.