[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Lets Fix Mailing Lists

To: Vernon Schryver <vjs@calcite.rhyolite.com>
Subject: Re: [Asrg] Lets Fix Mailing Lists
From: Kee Hinckley <nazgul@somewhere.com>
Date: Sun, 9 Mar 2003 14:01:55 -0500
Cc: Asrg@ietf.org
In-reply-to: <200303090322.h293MkTv014479@calcite.rhyolite.com>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
References: <20030309024120.9707.qmail@prefix.emu.st><200303090322.h293MkTv014479@calcite.rhyolite.com>
Sender: asrg-admin@ietf.org

At 8:22 PM -0700 3/8/03, Vernon Schryver wrote:

If you believe as I do that the reason genuine mail forgery (as opposed
to using a legitimately owned Hotmail dropbox) fell off dramatically
a year or three ago is related to the laws criminalizing header forger,
then you don't need any crypto.  Simply have the MTU or MTU choose
and record a suitable RFC 2369 List-whatever header from the confirmation
message.

I don't see that forgery itself has fallen off. We detect most of our spam using forgery detection. However it does seem that forgery of random commercial domains has fallen off. I think they tend to use ISP addresses more, but I haven't done a really good analysis. A quick scan of my 20,000 or so spams shows 4000 unique domains in the from lines. The top ones are:

+---------------------------------+------+
| domain | cnt |
+---------------------------------+------+
| yahoo.com | 1740 |
| hotmail.com | 1496 |
| aol.com | 973 |
| msn.com | 448 |
| Mail.com | 214 |
| recessionspecials.com | 209 |
| lycos.com | 180 |
| | 178 |
| excite.com | 170 |
| free-gift-offers.com | 168 |
| juno.com | 148 |
| bluelightoffers.COM | 145 |
| email.com | 125 |
| clickformail.com | 122 |
| helpfuloffers.com | 121 |
| 163.com | 118 |
| GreatDealsDepot.net | 117 |
| earthlink.net | 108 |

That's all either ISPs or known spam domains.

On a personal note, I know that spam using @somewhere.com used to be a major problem (weekly blowbacks), but has now dropped off to almost nothing. On the other hand, that may be because people started blocking the domain.

Then too. There were a couple successful lawsuits against spammers by companies whose reputation had been damaged. They may have decided to keep the forgeries to domains where that argument wouldn't result in huge monetary claims.

At 8:43 PM -0700 3/8/03, Vernon Schryver wrote:

often using addresses from the target list.  However, they're still
not doing blatent forging as they were a few years ago.

The forging is there. It's more subtle. At least 90% of the spam we are filtering has something forged in the header, and I don't mean From doesn't match sending IP--we don't count that--that's legit. I don't really want to go into the details on-list. But it is there.
--
Kee Hinckley
http://www.puremessaging.com/ Junk-Free Email Filtering
http://commons.somewhere.com/buzz/ Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg

References:
- Re: [Asrg] Lets Fix Mailing Lists
  - From: Mark Delany
- Re: [Asrg] Lets Fix Mailing Lists
  - From: Vernon Schryver

Prev by Date: Re: [Asrg] Lets Fix Mailing Lists
Next by Date: RE: [Asrg] PKI and Filters
Previous by thread: Re: [Asrg] Lets Fix Mailing Lists
Next by thread: Re: [Asrg] Lets Fix Mailing Lists
Index(es):
- Date
- Thread