ietf-asrg
[Top] [All Lists]

Re: [Asrg] Is there anything good enough? - Spoofing stats

2003-05-07 18:51:08
From: David Walker <antispam(_at_)grax(_dot_)com>

...
Sending addresses are the property of the domain.  Mail sent within the 
acceptable domain uses is not spoofed.  Mail sent through other channels to 
avoid domain policies is spoofed.

It seems to be a common misconception that addresses are the property of the 
sender.  If you want an address to be your property you can sign up for your 
own domain, otherwise they belong to the domain and the domain administrators 
set the policy for each domain.

We do not agree that abusing an address amounts to forgery.  In my
view that makes as little sense as saying that if you abuse a rental
car, you are guilty of auto theft.


I did a little checking on the existence of some of the addresses and 
yahoo.com and aol.com didn't generate an error if the account did not exist 
and the other accounts I checked did not exist.

I don't understand that sentence.


Many perfectly legitimate owners of netscape.com and other free
provider mailboxes uses those addresses as sender addresses in
their mail but send mail from unrelated ISPs.  Sometimes they do
this to avoid exposing their more private addresses to spam.  In
other cases port-25 filtering or other problems prevent them from
sending mail except through the unrelated ISP.

They can use webmail.  The services most often impersonated are webmail 
services and the correct use of that service is via webmail or such other 
methods as that provider (hotmail,yahoo, etc) may permit.
Those that are not webmail all provide smtp and pop servers and that is the 
proper way to send mail through them.

What is your standing for telling AOL and users of netscape.com how
those addresses can be used?  By what authority do you tell AOL to
change the terms and conditions for the use of netscape.com addresses?
How can you presume to tell those users to use webmail instead of some
other ISP's MTA?

I could understand your telling AOL to that you will refuse mail with
Netscape.com envelope addresses until and unless AOL changes the T&C
for netscape.com addresses, since that is what I do.  However, I do
not presume to say that AOL's T&Cs are invalid or other than what they
are or that any free provider that does not use the free provider's
sending MTA is "forging" anything.

I assume that AOL, Microsoft, Lycos, and the rest of the free providers
will continue to do whatever suits them.  I do not think I have any
right to tell or even suggest to them that they should change.  I do
not expect them to start doing background checks (e.g. a TRW credit
check) or requiring an effective bond against bad behavior by their
users.  On occassion an official of a free provider has contacted me
about http://www.rhyolite.com/anti-spam/freemail.html  The tiny outfits
tend to bluster, threaten, and demand that their domain names be
removed.  The big outfits are cordial and do none of that.  They seem
to understand my position and motives and do not even suggest that I
remove their domain names.


If your definition of "spoofed domain" includes the notion that
the spoofed address is not perfectly legitimately and own by the
user sending the message, what would you suggest to those innocent
people?  By turning off the mail of those innocent people, would
RMX be creating problems?

RMX doesn't turn off mail to innocent people.  RMX helps to ensure that users 
follow the policies of their domains.  No ISP that I know of blocks port 80 
or 443 and those are the correct method for sending messages via a WEBmail 
service unless the provider deems it acceptable to allow other methods.

HTTP whether over port 80 or with TLS over port 443 is useless for
sending mail in many circumstances.  For example, if you are using a
laptop in an airport or on an airplane, unless you are very rich, you
probably cannot afford to stay connected and a remote web page to
compose outgoing email.  Thus, forcing people to use port 80 or 443
or nothing to send mail does turn off mail for some people.

Are you saying that people who do not use the sending MTAs of their free
providers for entirely legitimate mail are not at least mostly innocent?
If so we lack a common ground for discussion.  I've often said that free
providers are parasites on the Internet because they depend on outsiders
to police their spammers, and so users of free providers share that
guilt, but your position sounds extreme even to me.


If your definition includes some notion of forgery, how do you know
whether a message with unrelated sender address and reverse DNS domains
is spoofed or forged?  Do you have some way to ask the administrators
of the "spoofed" domain about the sender address?

In 316 of the 3130 (10%) they connected using either my own domain name or the 
IP address of my mail server as their helo domain.  That is clear and 
undeniable proof that their intent is not to innocently inform me of the 
latest Viagra substitute but rather to exploit possible holes in my rules in 
order to deliver their crap.
...

Ok, they forged their HELO values.  I assume they also tried to
defraud you with their bogus offers.  However, that implies nothing
about whether their SMTP envelope Mail_From values were in any
honest sense forged.

How do you explain the extremely non-random character of your list?
Why aren't spammers using random domain names or random big company
domain names instead of concentrating on providers that give dropboxes
with little no due diligence?   My explanation is that spammers care
about that lack of due diligence and that implies they own most of
those sender addresses.


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg