From: "Chris Lewis" <clewis(_at_)nortelnetworks(_dot_)com>
...
Remember, Millions CDs are write-only.
Not all spam target lists are on Millions CDs.
...
Multiple "RCPT TO" then "QUIT" is the same as VRFY.
Minor nit: "Mail_From" then "Rcpt_To" is the same as VRFY. VRFY does not
imply quit. For a really minor nit, N VRFYs are the same as
1 Mail_From followed by N Rcpt_Tos. Spammers often follow one or
more RCTP_To probes with a QUIT, but they don't need to.
We don't see a lot of that on our spamtrap actually. What we see
_vastly_ more of is "HELO/MAIL FROM/QUIT" same "MAIL FROM" all the time.
God knows why they're doing that.
What's wrong with the obvious explanation, that they're validating
target lists? The (equivalents to) VRFYs in my logs tend to be for
usernames that are valid or close to valid or to obvious dictionary
lists. VRFYs are often followed by spam from the same spammer, judging
from various stigmata common between the VRFY and the spam. I've done
other obvious experiments with names culled from VRFYs, and found the
obvious things you'd expect if you assume many spammers are not stupid
and understand their businesses as well as you do.
Validated target lists are sold by spammers as more valuable.
Some target MTAs penalize IP addresses with too many bad Rcpt_Tos.
Open proxies and relays are readily available, but there's no point
in burning a relay or proxy if you can buy a "verified" target list.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg