Re: [Asrg] VPNs

Bill Cole <> Wed, 08 July 2009 15:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CEC803A68DE for <>; Wed, 8 Jul 2009 08:20:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.67
X-Spam-Status: No, score=-2.67 tagged_above=-999 required=5 tests=[AWL=-0.071, BAYES_00=-2.599]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id vaGq90Aw82aW for <>; Wed, 8 Jul 2009 08:20:34 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 0B11328C124 for <>; Wed, 8 Jul 2009 08:20:14 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTP id 383838E9BD0 for <>; Wed, 8 Jul 2009 11:20:31 -0400 (EDT)
Message-ID: <>
Date: Wed, 08 Jul 2009 11:20:33 -0400
From: Bill Cole <>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090408 Eudora/3.0b2
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <>
References: <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] VPNs
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Anti-Spam Research Group - IRTF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 08 Jul 2009 15:20:35 -0000

Daniel Feenberg wrote, On 7/7/09 8:14 AM:
> On Mon, 6 Jul 2009, Bill Cole wrote:
>> Alessandro Vesely wrote, On 7/6/09 6:35 AM:
> ...
>> The overwhelming majority of mail I am offered by the Gmail outbounds
>> is spam. Google has played games with how they will accept abuse
>> reports, giving the appearance of not really wanting them.
> Are these messages disguised in any way?

What do you mean by "any way?"

I do not retain most of them beyond the end of the SMTP session in which 
they are rejected, so I cannot speak to most of their headers. Most have in the envelope-from, but some do not.

> Just looking at my last week's
> mail, there are 120 messages with "" in the envelope-from. Two
> of these are spam, or about .2% of my incoming spam. Am I measuring the
> wrong thing?

Yes and no.

Note that I didn't say that I get much *volume* from the GMail outbounds, 
nor that they are the source of a large fraction of the spam that my server 
is offered, nor that all of the mail I was referring to was aimed at me 
personally or even to any address that has ever been valid.

However, a quick look at the spam that has made it to the point of delivery 
to my main account on that server tells me that about 20% of it is coming in 
via the 209.85.128/17 and 74.125/16 machines that match the SPF record for That's only a message or two per week: about half of what is 
offered by those clients for all valid addresses on that system and about a 
third of what they offer in total. In the past 40 days, the legitimate mail 
count for that system from Gmail is exactly 1, but that's artificially high 
because that one was a test message I sent to myself today to make sure that 
I was not missing valid messages in my log searches.

> Or do different users have a different experience of spam?

Is that a serious question? Assuming that it is: yes.

The spam experience of different users is not only non-uniform, it is not 
normally distributed across operationally useful populations like domains or 
receiving systems. Different users get very different volumes and different 
distinct types. The addresses that are targeted by huge volumes of 
completely fraudulent spam from easily-shunned botnets often get little or 
no spam from the 'snowshoe' spammers who like to claim CAN-SPAM compliance 
and may be advertising a product that some people willingly buy, and the 
419'ers who like to use freemail accounts may hit a completely different set 
of users.

> My account has been fairly public for over 15 years, so if an MTA were
> spewing a significant proportion of the worlds spam, wouldn't I be
> getting some?

I don't believe I said that Google's MTA's were spewing a significant 
proportion of the world's spam. Unless you consider the various spamming 
botnets as single entities across all of their nodes, no single entity is 
the source of a significant proportion of the world's spam.

What I did say (based on my own mailbox, my own small mail system with less 
than a dozen users, and some non-ISP, non-academic mail systems with a few 
score to a few thousand accounts) is that most of what Google's outbounds 
offer *to the sorts of systems I work with* is spam. That does not make them 
special among freemail providers, but freemail providers are an unusual 
species of SMTP client: continuously mixed ham/spam, majority spam, high 
total volume, and mixed spam and ham types (many of which are also seen from 
other types of clients.) This makes them part of the heavy lifting of spam 
control for receivers.