ietf-asrg
[Top] [All Lists]

RE: [Asrg] Some data on the validity of MAIL FROM addresses

2003-05-19 19:48:17
At 4:37 PM -0400 5/19/03, Eric Dean wrote:
 >
 >  For example, if 90% of spam is forged, then RMX, C/R, and
 > authentication schemes could do a lot against spam (modulo their
 > other problems).

It's not a large step to estimate that 90% of spam is forged.
1) However, much of that spam can be filtered using simple sender domain
checks.  Many spammers use bogus domains and maybe 5-10% of spam is dropped
accordingly.
2) The next value is to do a HELO hostname check..about 10-20% is dropped as
well.  However, there are casualities for very large companies...such as
bellsouth and verizon whereby I have to punch holes in my filters.
3) Then I could be more aggressive and apply a reverse-dns check on the
initiating source IP.  Doing so is also effective, however, all DSL and
carrier Dial networks in-addr their IP pools...yet many mail admins don't.
I have aout another 5-10% of my spam come from unresolved IPs..but instantly
the phones light up..cost me money..and I'm out of business.  The tough-love
approach is suicidal stupidity.
4) Then OK, so now we go with RBL, to identify the pools..that'll
work..costs non-trivial money..but it works for that flavor of spam..maybe
5%.


Well, actually I collected some of this data as well. But without corresponding data on non-spam, it's not very useful. Certainly each of the steps you outline includes an increased number of false positives.

There were 7376 unique senders.
4298 had some "problem" with the HELO or DNS information.

10      No A record for the HELO domain
702     The hostname for the HELO doesn't resolve
1330    Unqualified domain in the HELO
2030    Sender domain does not match the HELO
76      DNS Failed or timed out
1000    No DNS A data (not sure how this differs from the first)
8       Bad DNS Q Data Format (?)
101     Pipelined

(Pipelining was detected by spotting cases where an error was returned which should have terminated the transaction, but they kept sending commands, up to and including the content of the message.)

Obviously those all overlapped a good deal. Your immediate reaction might be to make sure that the sender domain matches the HELO. After all, it would nail half the spam right there. But then again, it would also block most of the mail coming from my domain and many others. My mail server always uses the primary domain name in the HELO, no matter which domain it sends for. That's probably true of most servers.
--
Kee Hinckley
http://www.messagefire.com/          Junk-Free Email Filtering
http://commons.somewhere.com/buzz/   Writings on Technology and Society

I'm not sure which upsets me more: that people are so unwilling to accept
responsibility for their own actions, or that they are so eager to regulate
everyone else's.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>