Re: [Asrg] Is there anything good enough? - Spoofing stats

[David Walker <antispam@grax.com>]

On Wednesday 07 May 2003 01:23 pm, Vernon Schryver wrote:
> What is your definition of "spoof" besides "HELO not remotely
> associated with sender domain"?  Does you definition involve the
> use of a sending address that is not the property of the sender?

Sending addresses are the property of the domain.  Mail sent within the 
acceptable domain uses is not spoofed.  Mail sent through other channels to 
avoid domain policies is spoofed.

It seems to be a common misconception that addresses are the property of the 
sender.  If you want an address to be your property you can sign up for your 
own domain, otherwise they belong to the domain and the domain administrators 
set the policy for each domain.

I did a little checking on the existence of some of the addresses and 
yahoo.com and aol.com didn't generate an error if the account did not exist 
and the other accounts I checked did not exist.

> Many perfectly legitimate owners of netscape.com and other free
> provider mailboxes uses those addresses as sender addresses in
> their mail but send mail from unrelated ISPs.  Sometimes they do
> this to avoid exposing their more private addresses to spam.  In
> other cases port-25 filtering or other problems prevent them from
> sending mail except through the unrelated ISP.

They can use webmail.  The services most often impersonated are webmail 
services and the correct use of that service is via webmail or such other 
methods as that provider (hotmail,yahoo, etc) may permit.
Those that are not webmail all provide smtp and pop servers and that is the 
proper way to send mail through them.

> If your definition of "spoofed domain" includes the notion that
> the spoofed address is not perfectly legitimately and own by the
> user sending the message, what would you suggest to those innocent
> people?  By turning off the mail of those innocent people, would
> RMX be creating problems?

RMX doesn't turn off mail to innocent people.  RMX helps to ensure that users 
follow the policies of their domains.  No ISP that I know of blocks port 80 
or 443 and those are the correct method for sending messages via a WEBmail 
service unless the provider deems it acceptable to allow other methods.

> If your definition includes some notion of forgery, how do you know
> whether a message with unrelated sender address and reverse DNS domains
> is spoofed or forged?  Do you have some way to ask the administrators
> of the "spoofed" domain about the sender address?

In 316 of the 3130 (10%) they connected using either my own domain name or the 
IP address of my mail server as their helo domain.  That is clear and 
undeniable proof that their intent is not to innocently inform me of the 
latest Viagra substitute but rather to exploit possible holes in my rules in 
order to deliver their crap.

> I've recently seen a lot of spam with sender addresses in all of the
> domains in your list.  Most of the names in your list are free providers,
> but some are not.  I bet that much and probably most of the spam you've
> seen with free provider sending address is not forged.  I've suspected
> that spam with sender addresses from earthlink.net, msn.com, and aol.com
> are forged, but how can anyone outside those organizations know?
> Reading between the lines of today's front page "Wall Street Journal"
> article suggests that much of the Earthlink spam may not be forged
> in any real sense of the word.
>
> See http://online.wsj.com/article/0,,SB105225593382372600,00.html if
> you have a subscription.  The title is "Elusive Spammer Sends EarthLink
> on Long Chase."  I've been unable to find the article on Google or
> Yahoo, but it might appear there later this week.

I don't have a membership.  I look forward to reading it if it appears on a 
site that doesn't require a subscription.

_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg