From: Kee Hinckley <nazgul(_at_)somewhere(_dot_)com>
...
He says that if he sets up his mail server to blackhole spam instead
of bounce it, the spammer shortly shifts to a different IP address
with slightly different text. He claims they are seeding the spam
with known bad addresses, and if they don't get back a failed status
from the SMTP server, they know that their spam is getting trapped by
filters.
I don't have any idea what methodology he's using, and without a good
control group to compare with this could be just a case of seeing
lots of spam. However conceptually it makes sense. It's the inverse
of checking for bounces on valid addresses, and it would allow a
spammer to fine-tune their message to get through filters.
Can anyone confirm this?
As stated, that makes limited sense, because it is based on the
assumption that filters reject spam. In fact many filters silently
discard, or rather, in effect like with a 250-OK SMTP status. Consider
most procmail recipies. Yes, the possibility of false positives urge
filters not lie, but that's not always possible (e.g. usually not with
procmail)and many people prefer to not leak information about their
filters to spammers.
There is a related scenario that makes more sense. Contributors to
NANAE have reported that some spammers use almost certainly bogus
addresses (e.g. 15 random letters) to determine whether an SMTP server
lies about bogus addresses. If a server answers "no such user," then
throwing a dictionary of 50,000 common user names at it will yield a
bunch of "confirmed" addresses that can be sold or spammed later. If
not, then such a dictionary attack is a waste of time.
Vernon Schryver vjs(_at_)rhyolite(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg