Re: [Asrg] What are the IPs that sends mail for a domain?

Bill Cole <asrg3@billmail.scconsult.com> Thu, 02 July 2009 16:07 UTC

Return-Path: <asrg3@billmail.scconsult.com>
X-Original-To: asrg@core3.amsl.com
Delivered-To: asrg@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 766FF3A6A41 for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:07:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[AWL=-0.100, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 59g-8ShBvK-j for <asrg@core3.amsl.com>; Thu, 2 Jul 2009 09:06:59 -0700 (PDT)
Received: from toaster.scconsult.com (www.scconsult.com [66.73.230.185]) by core3.amsl.com (Postfix) with ESMTP id 6E7593A6A2C for <asrg@irtf.org>; Thu, 2 Jul 2009 09:06:59 -0700 (PDT)
Received: from bigsky.scconsult.com (bigsky.scconsult.com [192.168.2.102]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by toaster.scconsult.com (Postfix) with ESMTP id D27848E3B9B for <asrg@irtf.org>; Thu, 2 Jul 2009 12:07:15 -0400 (EDT)
Message-ID: <4A4CDB33.9000908@billmail.scconsult.com>
Date: Thu, 02 Jul 2009 12:07:15 -0400
From: Bill Cole <asrg3@billmail.scconsult.com>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20090408 Eudora/3.0b2
MIME-Version: 1.0
To: Anti-Spam Research Group - IRTF <asrg@irtf.org>
References: <mailman.5.1245610801.29559.asrg@irtf.org> <4A3F76B8.2030409@terabites.com> <BBBA1F6A3752AE7B96888ECB@lewes.staff.uscs.susx.ac.uk> <4A48FB80.10709@billmail.scconsult.com> <800E7AE85B690B4BAC93F2CD@seana-imac.staff.uscs.susx.ac.uk> <20090630111105.GA12502@gsp.org> <DC4825E67EC4297FF587671B@seana-imac.staff.uscs.susx.ac.uk> <20090701150032.GB15652@verdi> <7ae58c220907010812s6831475fv485aa6a75baddb94@mail.gmail.com> <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk>
In-Reply-To: <B615A07C0B45CC8ADA9F938A@seana-imac.staff.uscs.susx.ac.uk>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [Asrg] What are the IPs that sends mail for a domain?
X-BeenThere: asrg@irtf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: asrg@irtf.org
List-Id: Anti-Spam Research Group - IRTF <asrg.irtf.org>
List-Unsubscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www.irtf.org/mail-archive/web/asrg>
List-Post: <mailto:asrg@irtf.org>
List-Help: <mailto:asrg-request@irtf.org?subject=help>
List-Subscribe: <http://www.irtf.org/mailman/listinfo/asrg>, <mailto:asrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jul 2009 16:07:00 -0000

Ian Eiloart wrote, On 7/2/09 6:23 AM:
>
>
> --On 1 July 2009 11:12:13 -0400 Dotzero <dotzero@gmail.com> wrote:
>
>> On Wed, Jul 1, 2009 at 11:00 AM, John Leslie<john@jlc.net> wrote:
>>>
>>>   That's closer... But I'd argue that no SPF construct "authorizes"
>>> sending email. In practice, I think it's quite clear that SPF constructs
>>> merely express probabilities.
>>>
>>
>> What is the probability that you will receive legitimate email
>> originating from ibm.com?
>>
>> ibm.com text = "v=spf1 -all"
>
> Nil. They don't use the domain for outbound email. They use country
> specific subdomains like @uk.ibm.com.
[...]
> Exercise for the reader: why aren't spammers using the @ibm.com domain?

You provided the answer before the question.

Forged sender addresses are predominantly harvested rather than purely 
invented or recombinantly assembled. Forged sender spam is mostly the 
product of the blatantly criminal segment of spammers whose target lists are 
largely harvested from the web, Usenet, and the address books of compromised 
systems. In a world where there is a detectable fraction of sites making 
some effort to validate senders to the point of SMTP callbacks, the most 
economical approach for spammers forging the sender address is to just pull 
sender addresses from the same list as targets.

I see this most clearly in blowback like the bounce AOL sent me this 
morning. The original spam had been addressed to 'bill@aol.com' with the 
sender 'bill@scconsult.com'com'. That's an address I've used in very public ways 
for 15 years, making it a frequent spam target. 99%+ of the direct spam for 
it I never see, particularly the flavors using forged senders, but nearly 
all of the blowback I get for it is from spam aimed at alphabetically nearby 
targets.