IETF Logo Mail Archive

Re: spam on old lists - was [89attendees] Fw: new important message

"John R Levine" <johnl@taugh.com> Fri, 15 April 2016 23:46 UTC

Return-Path: <johnl@taugh.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B250512DDA7 for <ietf@ietfa.amsl.com>; Fri, 15 Apr 2016 16:46:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1536-bit key) header.d=iecc.com header.b=U57qqwz4; dkim=pass (1536-bit key) header.d=taugh.com header.b=USKwCx/w
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0Bz2TNadXMRr for <ietf@ietfa.amsl.com>; Fri, 15 Apr 2016 16:46:42 -0700 (PDT)
Received: from miucha.iecc.com (abusenet-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:1126::2]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA53712DD89 for <ietf@ietf.org>; Fri, 15 Apr 2016 16:46:41 -0700 (PDT)
Received: (qmail 35643 invoked from network); 15 Apr 2016 23:46:39 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=iecc.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=8b3a.57117d5f.k1604; bh=rrJQrmxwLX3EFj8qE/2STxsjpwQKdCnrUmFOl/TmZ5E=; b=U57qqwz4e8McaM18CSdxHqYn1yVO+x+rYdNxIpFjVF62gxd3dG1T7gl/9P0MOHbzs2jPhuUU+mvtPCCOgueTPBbuzqOxZrJMOidHgRirfYsD0S0CUvxBhlEg2vbfIomn9iLK6/29ANNbuy39xu/ZR8w8ZpIDY1a9Ap/zkXH23bH743Og/dKBa3WTz1p7hc0W/z3l7Icb+2OVEQPLiwOHc7w6Hj1ro7liJCtxt1EN3Y6dEoYaCg+9FXMVVlC/7wuY
DKIM-Signature: v=1; a=rsa-sha256; c=simple; d=taugh.com; h=date:message-id:from:to:cc:subject:in-reply-to:references:mime-version:content-type:user-agent; s=8b3a.57117d5f.k1604; bh=rrJQrmxwLX3EFj8qE/2STxsjpwQKdCnrUmFOl/TmZ5E=; b=USKwCx/w7P2b4e+ITpU7flYM9m2pcmEJ1Odc3/4kNjygpuu+8wDM/sBBB4e9uYZyixvbl7EroG2KgFuNr0sNbL8c333CI271+TN+I1GTog/9f3Xw3zoWgacKpE1Oq+F7oKkUfixgtL10E8b4nyzogAXbw4oGYfdXYU1sl6azmBz4mU9dwXQhnt+fI4gCnUTVGCnOROuIImQaLcfOeLgi1dWq6tDFBneL2CdSuYPPFSt5hJBShExpPLeSLtuWAHe6
Received: from localhost ([IPv6:2001:470:1f07:1126::78:696d:6170]) by imap.iecc.com ([IPv6:2001:470:1f07:1126::78:696d:6170]) with ESMTPS (TLS1.0/X.509/SHA1) via TCP6; 15 Apr 2016 23:46:39 -0000
Date: Fri, 15 Apr 2016 19:46:38 -0400
Message-ID: <alpine.OSX.2.11.1604151938430.32352@ary.lan>
From: John R Levine <johnl@taugh.com>
To: Benson Schliesser <bensons@queuefull.net>
Subject: Re: spam on old lists - was [89attendees] Fw: new important message
In-Reply-To: <FBEF78BA-A260-4460-9090-F159D957531D@queuefull.net>
References: <20160415185238.6233.qmail@ary.lan> <FBEF78BA-A260-4460-9090-F159D957531D@queuefull.net>
User-Agent: Alpine 2.11 (OSX 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/TQ9SqShPEbAGwA_iiuFhOHIRa2w>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Apr 2016 23:46:43 -0000

> The spam message in this case did not originate from any client or host under my control. It did not transit via any of my mail relays. It was a forgery - it spoofed my email address in the From header, and unfortunately happened to match it up with a To header addressing an IETF mailing list to which I'm subscribed.

Yeah, this is a new trend, crooks harvest address books and then do 
(from,to) pairwise spamming to take advantage of the common trick of 
whitelisting addresses in the recipient's address book.

If you're seeing a lot of forgery, SPF, DKIM, and DMARC will help 
somewhat, but since DMARC famously can't tell the difference between 
forged spam and mailing lists, I wouldn't turn on any DMARC policies. 
History suggests that in a while the bad guys will buy a new spam list and 
your bounces will drop back to normal.  FWIW I've been using my iecc.com 
address since 1993 and my taugh.com address since 2002, both have been 
scraped out the wazoo but with normal filtering both remain quite usable.

> Otherwise the only fix that I can imagine is for the IETF to start 
> opportunistically filtering list message submissions based on DMARC, 
> SPF, and DKIM, as well as performing sender rewriting in the list 
> software. Like most things, I imagine the subscribers on this list have 
> opinions about this - and I'd be glad to hear them.

Given that we've seen only one or two spams of this sort leak through, I'm 
not inclined to do anything about it.  An interesting thing to do would be 
to instrument the mail, do the various DNSBL, SPF, DKIM, and DMARC checks 
on incoming mail and log the results in the message headers.  Then we can 
gather data to tell us what would happen if we used them to filter.

On my smallish system, I use a few conservative DNSBLs to block mail, 
which knocks out about 2/3 of it, then SPF and DKIM as part of the 
spamassassin score.  I check DMARC but don't do anything beyond logging it 
except for a handful of high risk domains like paypal.com where DMARC 
failure almost always means phish.

Regards,
John Levine, johnl@taugh.com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.

v2.23.0 | Report a Bug | By Email