On Wednesday 07 May 2003 01:23 pm, Vernon Schryver wrote:
What is your definition of "spoof" besides "HELO not remotely
associated with sender domain"? Does you definition involve the
use of a sending address that is not the property of the sender?
Sending addresses are the property of the domain. Mail sent within the
acceptable domain uses is not spoofed. Mail sent through other channels to
avoid domain policies is spoofed.
It seems to be a common misconception that addresses are the property of the
sender. If you want an address to be your property you can sign up for your
own domain, otherwise they belong to the domain and the domain administrators
set the policy for each domain.
I did a little checking on the existence of some of the addresses and
yahoo.com and aol.com didn't generate an error if the account did not exist
and the other accounts I checked did not exist.
Many perfectly legitimate owners of netscape.com and other free
provider mailboxes uses those addresses as sender addresses in
their mail but send mail from unrelated ISPs. Sometimes they do
this to avoid exposing their more private addresses to spam. In
other cases port-25 filtering or other problems prevent them from
sending mail except through the unrelated ISP.
They can use webmail. The services most often impersonated are webmail
services and the correct use of that service is via webmail or such other
methods as that provider (hotmail,yahoo, etc) may permit.
Those that are not webmail all provide smtp and pop servers and that is the
proper way to send mail through them.
If your definition of "spoofed domain" includes the notion that
the spoofed address is not perfectly legitimately and own by the
user sending the message, what would you suggest to those innocent
people? By turning off the mail of those innocent people, would
RMX be creating problems?
RMX doesn't turn off mail to innocent people. RMX helps to ensure that users
follow the policies of their domains. No ISP that I know of blocks port 80
or 443 and those are the correct method for sending messages via a WEBmail
service unless the provider deems it acceptable to allow other methods.
If your definition includes some notion of forgery, how do you know
whether a message with unrelated sender address and reverse DNS domains
is spoofed or forged? Do you have some way to ask the administrators
of the "spoofed" domain about the sender address?
In 316 of the 3130 (10%) they connected using either my own domain name or the
IP address of my mail server as their helo domain. That is clear and
undeniable proof that their intent is not to innocently inform me of the
latest Viagra substitute but rather to exploit possible holes in my rules in
order to deliver their crap.
I've recently seen a lot of spam with sender addresses in all of the
domains in your list. Most of the names in your list are free providers,
but some are not. I bet that much and probably most of the spam you've
seen with free provider sending address is not forged. I've suspected
that spam with sender addresses from earthlink.net, msn.com, and aol.com
are forged, but how can anyone outside those organizations know?
Reading between the lines of today's front page "Wall Street Journal"
article suggests that much of the Earthlink spam may not be forged
in any real sense of the word.
See http://online.wsj.com/article/0,,SB105225593382372600,00.html if
you have a subscription. The title is "Elusive Spammer Sends EarthLink
on Long Chase." I've been unable to find the article on Google or
Yahoo, but it might appear there later this week.
I don't have a membership. I look forward to reading it if it appears on a
site that doesn't require a subscription.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg