From: Barry Shein <bzs(_at_)world(_dot_)std(_dot_)com>
...
I've lately been seeing them rotating case of domains between msgs and
then base64 encoding that,
<A HREF="http://wWw.HoOp-dirECT.com";>
<A HREF="http://WwW.hOoP-DIrEcT.com";>
which makes it harder to just match on the base64 encoding.
I think rotating cases are weeks old for "Bill Zhang/Hu Scott/-
Zhanghailun/Dereck Jonson/et al." In the last few dozen hours it has
switched to rotating case and quoted-printable or %-encoding. I think
I've recently seen it in others I thought were not the same spammer.
Base64 encoding was very popular, faded, and has come back a little.
I assume most defenses that were not already decoding base64 have been
changed and perhaps SpamAssassin or some other major filter is now
penalizing base64 like <!--HTML-comments-->. But this tactical chatter
is not relevant to a strategic research group.
...
> Say that you did find that 87.345% (or whatever) of all spammers today
> respond to 550's. Instead of sarcasm, please say what you would
> conclude about next month. How much money would you bet on your answer?
...
I said I doubt handing spammers 5xx's is going to do much good in ...
I don't know about that, but you did support the value of measuring
current 5yz behavior. The only profits I see in such measurements
are disproving claims that it always happens or can't/never happens,
honing skills and tools for looking at spam, and tweaking defenses for
the next few weeks. The second might be good training or tool
development. The last might be relevant in a tactical forum like
SPAM-L or NANAE, but not here.
...
In general it seems more conservative to assume that if there's an
easy way around a "block" (e.g., ignore those 5xx's) a spammer will
take it.
That's why worrying about current precise 5yz behavior is wrong
without compelling logic showing that it won't change.
Information is neither a baseless prejudice nor a careful measurement
that will be a wrong, baseless prejudice tomorrow.
The only exception I see off-hand are gray-area spammers who might be
subject to IP blocking, or those who use spamhauses, or similar, so
are concerned about sites which block IPs when they produce too many
User Unknowns.
Anyhow, an empirical method to see if this approach works at all, not
that I see how it really fits in to the big picture (if you already
know it's spam and thus to respond with 5xx then the problem is solved
already, no?), has been proposed here now.
Knowing how often 5yz's are honored can be good tactical intelligence,
but this is a strategic research group. The opposites of baseless
assertions are not useless data. Assuming we agree the real value is
neither 0% nor 100%, good measurements of 5yz behavior are as inapproprate
here as unfounded claims about 5yz behavior. Good measurements of 5yz
honoring today will be unfounded claims tomorrow.
Good measurements of 5yz behavior is as useless as base64 line lengths.
RFC 1341 and replacements say that they should be at most 70 bytes,
and most legitimate mail and spam use fewer. However, I've had to
make my code decode base64 lines of several 1000 bytes to handle some
spam. Does it matter whether those illegal MIME spam are 1% or 0.01%
instead of the 0.1% I estimate?--not here. It also does not matter
here whether 87% or 8.7% of spammers honor 5yzs.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg