The FROM address is being choosen to maximize the probability
the email is opened.
People trust what they know. They know AOL, Hotmail, yahoo.
It would be interesting to see whether the YAH addresses
decline over the next few months as they step up enforcement
on the legal front.
Phill
-----Original Message-----
From: Scott Nelson [mailto:scott(_at_)spamwolf(_dot_)com]
Sent: Sunday, May 18, 2003 11:26 PM
To: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
At 07:52 PM 5/18/03 -0600, Vernon Schryver wrote:
From: Michael Rubel <asrg(_at_)mikerubel(_dot_)org>
ad> Even worse, there is no proven connection between the
spam and the
ad> hotmail/yahoo account which is allegedly the sender.
The data are
ad> entirely consistent with spammers using lists of verified email
ad> addresses to forge 'From:' lines.
vs> That would be make sense only if the number of
hotmail/yahoo spam
vs> sender addresses were proportional to the number of
hotmail/yahoo
vs> addresses among all targets of spam.
Wouldn't this objection only apply if you assume that spammers are
selecting MAIL FROM: addresses uniformly? That is, if you
assume each
address in their lists is given equal probability?
That's my point. Spam source addresses are obviously not uniformly
distributed accross domain names. Unless you make surprising
assumptions about spam target addresses, they are not uniformly
distributed accross those either.
Why is that? It cannot be because free provider mailboxes are harder
to check for validity. Many large corporate domain names give no
indication that an invented address is bogus during the SMTP
transaction.
(Think about corporate MX servers and firewalls to see not only why
that is but why it must be, at least as SMTP is practised today.)
It also cannot be because free provider addresses are good sender
addresses for spam, because a noticable albeit small minority of
organizations are like Rhyolite Software and reject all mail
apparently from strangers at free providers. If you're going to
pick a random domain name, it would be better to pick any of the
Fortune 1000 not associated with a free provider.
I would expect that /if/ the majority of return addresses are forged,
then the spammer would pick the domain at random from their collection
of lists.
If that's right, and if a lot of spam is being forged,
(both are untested assumptions)
then the majority of forged spam would come from the domains which
appear most often on the lists. I.e. since there are many more
"big domain" email addresses, they would get forged more often.
But the small domains would be forged sometimes.
So what domains /aren't/ showing up in spam?
I know striker.ottawa.on.ca has a lot of addresses on a lot
of spam lists,
but checking the last 20,000 spams I received, not a single one
has the word "striker" in it anywhere.
No fortune 1000 domains either.
For the addresses checked, there was only one exception to
the rule that
spam has a return address that can be purchased for less than
$25.00 US,
and that exception is notable.
It's spamcop.net, who claims to have been joe-jobbed.
Scott Nelson <scott(_at_)spamwolf(_dot_)com>
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg