ietf-asrg
[Top] [All Lists]

Re: [Asrg] Some data on the validity of MAIL FROM addresses

2003-05-18 11:49:59
At 03:34 AM 5/18/2003 -0400, Kee Hinckley wrote:

Vernon has regularly made the claim that a significant proportion of
spam messages have valid MAIL FROM's.  That means that bounces will
go the the spammer.  This has significant ramifications for C/R
systems (especially auto-respond ones) since it means that should
they have to, spammers could respond to challenges.

To test this theory, I took a day's worth of bounce logs from
somewhere.com (2003-05-15).  These should be fairly normal logs.
There's been a bit of an upswing from a recent virus attack, but
otherwise these are pretty normal bounce logs for somewhere.com.

I ran a program which took each MAIL FROM address, parsed out the
domain portion, looked up the MX record, and then connected to the
SMTP port of the lowest numbered MX server.  I did a
        HELO somewhere.com
        MAIL FROM 
<postmaster+AntiSpamAddressVerification(_at_)somewhere(_dot_)com>
        RCPT TO <appropriate-address>
        QUIT
Note that a few sites bounced me at the HELO prompt (didn't like that
I was on DSL, or that my name was somewhere.com).  A few bounced at
the MAIL FROM (didn't like somewhere.com--and one claimed that +
wasn't a legal email character).  But the number of either of those
was pretty low (less than half a dozen).  I'll do a better job of
recording those separately in the future.

[.....]
In general though, it appears that Vernon is correct.  If my sample
is representative, a large percentage of spam is coming from real
email addresses.

I see a problem with this testing strategy - an SMTP server is does not necessarily produce an error when receiving an RCPT TO command. See RFC 2821, section 3.3:

----[snip]----
"However, in practice, some servers do not perform recipient verification until after the message text is received. These servers SHOULD treat a failure for one or more recipients as a "subsequent failure" and return a mail message as discussed in section 6. Using a "550 mailbox not found" (or equivalent) reply code after the data are accepted makes it difficult or impossible for the client to determine which recipients failed."
----[snip]----

And RFC 2821, Section 6.1.:

----[snip]----
"If there is a delivery failure after acceptance of a message, the receiver-SMTP MUST formulate and mail a notification message."
----[snip]----

Therefore, it is not possible to determine with certainty whether these accounts actually existed. A better testing strategy would actually send email to these accounts with the DATA command and watch for bounce messages. However, spammers can always choose to use a real email address as the return address and sending email to valid accounts in itself may be considered spam by the recipients.

Yakov

---------------------------------------------------------------------------------------------------
Yakov Shafranovich / <research(_at_)solidmatrix(_dot_)com>
SolidMatrix Research, a division of SolidMatrix Technologies, Inc.
---------------------------------------------------------------------------------------------------
"One who watches the wind will never sow, and one who keeps his eyes on
the clouds will never reap" (Ecclesiastes 11:4)
---------------------------------------------------------------------------------------------------
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>