Vernon Schryver <vjs(_at_)calcite(_dot_)rhyolite(_dot_)com> wrote:
How do you determine that a given message has forged headers?
I admit it's difficult.
Again, for the umpteenth time, you cannot compare the reverse DNS
dommain of the STMP client IP address with domains in the envelope or
the headers, with the possible exception of the HELO, to define forgery.
Mail from a Brazilian IP address carrying Hotmail sender is not
necessarily forged in any honest sense.
No, but I'm getting spam from 1000's of unique IP's across the
planet. Each IP is sending spam with many different 'from' lines,
some of which are for non-existent domains. Others are for well-known
domains. The various 'from' lines overlap among the source IP's.
The odds of *all* of these messages being consentual are next to
zero. The odds of 90% of them being intentionally forged are pretty
good.
If you define a mismatch between reverse DNS and HELO domains as
forgery, you'll say that at least 1% and perhaps more than 10% of
all otherwise completely legitimate mail is "forged."
Sure. But the odds are that spam is 90-99% forged in that way.
It's not a perfect descriminator, but it's better than chance.
A looks up MX, gets B. B looks up MX, gets C. C looks up MX, gets
A. Happiness and frivolity ensue...
That's not how MX RRs work. Please read pages 3 and 4 of RFC 974.
Big deal. Did I say I would use MX RR's?
Let me re-phrase my explanation to make it a little simpler: I hack
my DNS server so that queries from one open relay get told that my MX
is another open relay. The second open relay gets told my MX is the
first. They bounce garbage back and forth until they decide they're
tired of it.
Any protocol can be abused if you lie. DNS & MX records are no
exception.
Did your physics teachers really say that that two things are the same
if you merely don't go to the trouble to distinguish them?
If the trouble is too expensive to be practical, yes.
We can't tell the difference between many theories in high energy
particle physics, because we don't have the funds to build a
galaxy-sized particle accelerator.
Similarly, if a header is "deceitful", and 90% of such traffic is
spam, and it's too expensive to verify the other 10%, the most
practical thing to do is often to lump it all in the same bin.
Why should I pay for verifying that other peoples traffic is not
spam, when they've intentionally engaged in many of the same
behaviours as the spammers?
Alan DeKok.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg