ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] Some data on the validity of MAIL FROM addresses

2003-05-19 08:53:08
from [Vernon Schryver] [Permanent Link] 
From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>



I would expect that /if/ the majority of return addresses are forged,
then the spammer would pick the domain at random from their collection
of lists.


As I noted in my mail.  This appears to be happening now--although I 
had not seen symptoms of it before.  Is anyone else starting to see 
low-level occasional bounce back from spam?

Prior to that, all of the bounce-back instances I had heard of or 
experienced (and I used to get one or two a week) were major--where 
the entire spam load got sent out with the same return address.


For more than a year I've heard from ISPs asking how to make the DCC
filter such bounces because they upset users.  For years there have
been occassional reports in news.admin.net-abuse.email of such bounces
and speculations that some spammers apply the obvious tactic of using
their target lists for their sender addresses.  I've occassionally
received such bounces.  The question isn't whether it happens, since
that's long settled, but how often it happens, and what if anything
people trying to stop spam should do in response.

Spam characteristics ebb and flow.  It's important to avoid making
generalizations from a single wave or one high tide.  Two or three weeks
ago I was seeing a more forged senders in my traps.  Within the last
week, that wave has broken and I've noticed an increase in spammer using
their own domains in Mail_From values.  I could speculate that sounds
from the FTC and New York have motivated a shift in tactics or that
Hotmail or Yahoo are doing something, but that would only be speculation.

Other recent waves include:

  - base64 encoding increased so much a month or two ago that I added
     special hand tools to the set I use to watch my spam traps.
     Those tools became important.  This week I've rarely used them.

  - the wave of <!-->HTML comment<--> spam has definitely crested.

  - some recent spam contains HTTP HREF URLs of the form
     http://xxx.example.com__foobar
    Does some HTML-aware MUA treat '__' like '/'?

  - some recent spam contains several purely garbage URLs in HREFs or
   two valid ones.  They're not even hidden (e.g. <A HREF="asdf"></A>)
   What's the point of telling spam targets to "click on this" when it
   is pure garbage?

  - I've finally seen what others have mentioned, "hashbusters" in
   HTML tables instead of bounded by <font></font> or other screens.
   The tables look perfectly valid and so visible to spam targets.
   So what's the point?


Vernon Schryver    vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Could/Should/Must law require mechanism?, Bob Wyman
Next by Date:  [Asrg] News Article - MailBlocks, Patents and Prior Art, Yakov Shafranovich
Previous by Thread:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Kee Hinckley
Next by Thread:  Re: [Asrg] Some data on the validity of MAIL FROM addresses, Chris Lewis
Indexes:  [Date] [Thread] [Top] [All Lists]