Re: [Asrg] Some data on the validity of MAIL FROM addresses

[Markus Stumpf <maex-lists-spam-ietf-asrg@space.net>]

On Sun, May 18, 2003 at 03:34:14AM -0400, Kee Hinckley wrote:
> Vernon has regularly made the claim that a significant proportion of 
> spam messages have valid MAIL FROM's.  That means that bounces will 
> go the the spammer.  This has significant ramifications for C/R 
> systems (especially auto-respond ones) since it means that should 
> they have to, spammers could respond to challenges.

There would be an easy test method.
Modify the SMTP/Mail Server to send bounces not with an empty envelope
sender, but with a collector address. Also collect double bounces.
Then start counting. That way you will catch the bounces as they will
not be discarded by "store and forward" systems that have to accept what
will result in a double bounce.
By also recording the bounces you sent out and matching sender/dest
pairs the task would be rather trivial for people with e.g. spam traps.

I can't get my hands on a mailserver thats not in production and has
a large enough amount of mails for significant statistics.

As for the numbers:
From my experience /lot/ of sender addresses are faked. There is the
- keep username strategy
  abcdef@domain1 -> abcdef@domain2
  		 -> abcdef@domain3
  		 -> abcdef@domain4
		 [ ... ]
- 45jcz8fh@yahoo.com strategy (I see this mostly with yahoo addresses)
    A customer got abused and they relayed 57653 spam mails.
    They mostly grouped it in 8 messages per sender account (about 8700 unique)
    They were formed:
	0leba.tpbok@hotmail.com
	07k7m.ww9eq@hotmail.com
	dcf99.drafz@yahoo.com
	lmx6i.q8tge@hotmail.com
	6n4ss.2x6np@hotmail.com
	7gauv.9nc0n@yahoo.com
	g5ikw.qehld@hotmail.com
    all 8700. And from all the bounces I had seen NONE of them was
    valid.
    I put the list up at
	http://www.lamer.de/download/spamsender.txt.gz
    in case anyone is interested. The format is  "nnn  address" where
    "nnn" is the number of times the address was used as sender address.
    (uniq -c)
- the - what I call them - "nolist" group.
  They use
      OWNER-NOLIST-OFCDAILY*xxx**domain....@MAIL2.ASP-PLATFORM.COM
      OWNER-NOLIST-OFCDAILY*xxx**domain....@MAIL1.YOURMAILSOURCE.COM
      ...
  The bounces go back and are accepted (ad least they were before I put
  filters in) but they are abviously not evaluated as I always see
  the same (not existing/blocked) recipient lists tried over and over
  for months. So I am rather sure there is a bit bucket SMTP daemon
  accepting the messages.
- about 10% of the spam we (ought to) receive has
     - no valid A or MX record for the sender domain
       (slighty wrong figures because of the big@boss.com Sobig-A worm)
     - about 3-5% of the spam that bounces hangs in the queue (at least
       for a short time), because
	 - A/MX -> 127.0.0.1 or 0.0.0.0
	 - A/MX don't accept emails for 7 days period like
	      sales@websalesjet.net
	      claire@t9enterprises.com
	      *@online-shop-exchange.com
	      *@gratefulgeorge.us
	      *@healthfirs.org
	  ...

I doubt Vernons theory from my daily experience, but no, I have no real
numbers (s.a.)

	\Maex

-- 
SpaceNet AG            | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development |       D-80807 Muenchen    | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
 proportional to the amount of vacuity between the ears of the admin"
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg