(not to the list since you didn't)
I'm sending this one to the list.
ten or so spammers replying to confirmations. For the paper, I grabbed 500
messages from spamarchive.org and sent confirmations to them. 221 bounced
back immediately (invalid user, account canceled due to abuse, invalid
domain, etc). 17 had invalid addresses (forged as a local address). 260
*never* replied (a possible throw-away account). The remaining two were
actually "unsubscribe" addresses (someone probably subscribed to one of
those
web-based forums for a game site and forgot to unsubscribe). As you can see,
the percentage of forged address *is* very high.
No, I do not see that, unless you think 3.4% is very high. I see no
evidence showing that 96% of those addresses were forged.
- invalid user
could have been terminated for spam
End result: Message not delivered.
- account canceled due to abuse
clearly *NOT* forged
End result: Same as above.
- invalid domain
could be forged, but could also be recently expired domains or
temporarily bad DNS server (e.g. Ralsky). I recently ran script over
the ~4000 domains in my blacklist, and found about 10% invalid
according to the DNS roots. However, in rechecking, I find that
perhaps 60% of those NXDOMAIN answers disagree with what crsnic.net
says, which says the domains are valid.
That is an unusual situation. In the worst case scenario, the challenge would
be lost. This email would sit in my queue where it would be picked up later
during my weekly queue maintenance.
- forged as a local address
ok you have evidence that 17 of 500 or 3.4% are forged.
Those are definitely forged.
- 260 *never* replied
if an ASK user sends me a challenge, it is likely that I will
never reply. Thus, this is not evidence of forgery.
But it is an indication that the sender was not available or willing to
confirm delivery of his message. This suggests (in my view) enough evidence
to queue the message for later inspection. I believe (from my experience with
a challenge-based authentication tool over these years) that someone who goes
through the trouble of composing a message will also be willing to reply to a
one-time challenge.
Note that confirmation messages have been used successfully by mailing-list
management software for years (or you're going to tell me that you never
replied to the confirmation sent by mailman when you joined this list ;)).
I suspect many of the 96.6% for which you do *NOT* have evidence
of forgery were forged, but you can't conclude the positive from a
lack of evidence of the negative.
But the point is: The sender was *not* willing to prove me that he indeed
sent me an email. Either he can't (because the email is not valid) or he
does not care for any reason. I *do* check my queue weekly and, believe me,
finding a false positive is very rare.
Again, "forged" should mean "spammer has no claim on the address,"
and not "invalid now but valid before," "doesn't respond to ASK
challenges," or "IP address doesn't match envelope or headers."
In ASK's case, forged means "I agree that I sent this email and I want
it to be delivered -- I understand that all emails from my address will
be automatically delivered without further confirmations from this point
forward".
This seems like an interesting and productive discussion. I'm subscribing to
the list. I hope I don't get overwhelmed by emails (I already have around 80
emails/day to read from lists, office and friends) :)
I was travelling the first days the list started. That was also the peak
of the usual IETF announce flood of IDs, RFCs, and IESG actions. It was
not fun to deal with 500 msgs/day through the primitive ssh tunnel I use.
Eeek!!!
Let's see what happens tomorrow! :)
Regards,
Paga
--
Marco Paganini | UNIX / Linux / Networking
paganini(_at_)paganini(_dot_)net | PGP: http://www.paganini.net/pgpkey.txt
(RSA)
http://www.paganini.net | "Magnus Frater te spectat..."
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg