At 03:34 AM 5/18/03 -0400, Kee Hinckley wrote:
Vernon has regularly made the claim that a significant proportion of
spam messages have valid MAIL FROM's. That means that bounces will
go the the spammer. This has significant ramifications for C/R
systems (especially auto-respond ones) since it means that should
they have to, spammers could respond to challenges.
There's a significant difference between "address is valid"
and "address belongs to spammer who could respond."
It's certainly possible for the Reply-To: (or any other sender supplied
addresses you test) to point to a valid address that does belong
to the sender (real), valid that doesn't belong to the sender (forged),
currently invalid address which belonged to the sender when they sent
the message (revoked by isp) or invalid which never belonged to the
sender (abandoned once the bounces started flooding in).
It would be nice to know how many addresses that tested valid
when the spam was received, test invalid some time later
(say, after 48 hours). Of course, that data might not be much use,
but at least it's collectable.
There were 39595 entries in the log, with 34404 distinct SMTP sessions.
There were 11559 unique MAIL FROM addresses.
+---------+-------+------------+
| errcode | total | percentage |
+---------+-------+------------+
| 0 | 99 | 0.86 | ???
| 250 | 5796 | 50.14 |
| 450 | 6 | 0.05 |
| 451 | 12 | 0.10 |
| 452 | 8 | 0.07 |
| 473 | 4 | 0.03 |
| 500 | 1 | 0.01 |
| 501 | 1 | 0.01 |
| 521 | 3 | 0.03 |
| 530 | 1 | 0.01 |
| 550 | 2341 | 20.25 |
| 551 | 3 | 0.03 |
| 552 | 2 | 0.02 |
| 553 | 288 | 2.49 |
| 554 | 48 | 0.42 |
| 555 | 1 | 0.01 |
| 556 | 1 | 0.01 |
| 571 | 1 | 0.01 |
| 1001 | 1880 | 16.26 | No MX Record
| 1003 | 1055 | 9.13 | No SMTP Server
| 1007 | 8 | 0.07 | Invalid Email Format
+---------+-------+------------+
In aggregate. 51% of the addresses were valid. 49% were not.
Of the ones that were not valid, 52% didn't have a reachable mail server.
Minor quibble: Failing to have an MX record doesn't guarantee
an address is invalid. But I'd bet that a fair number of the
"No MX Record" group don't have an A record either, and of the
ones that do, few if any point to a SMTP server.
At any rate, somewhere between 9% - 25% not only don't have
valid return addresses, the addresses given can't reasonably
be considered to ever have been valid. We can at least say
with some certainty that those spams aren't impersonating
someone else.
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg