ietf-asrg
[Top] [All Lists]

Re: [Asrg] SPF is only useful to dupe the ignorant...

2004-09-10 18:17:56
At 3:43 PM -0400 9/10/04, Barry Shein wrote:
Spammers no longer use static domains, and they haven't for years.

Some still do, but they are untouched by SPF anyway.

Spammers us ZOMBIE PCs.

Yes, and those are quite hard to get into SPF records.

These are virus-infected PCs which let spammers do whatever they like
with them, such as cause those PCs to send out millions of e-mail
messages.

So, you get an e-mail from viagra(_at_)adsl-24-73-19-222(_dot_)att(_dot_)net 
and it's
SPF OK.

Why would AT&T create an SPF record for that name?

The more common scenario NOW is that the mail is offered with an envelope sender in some other domain. For many months one persistent zombie spammer seemed fixated on using msn.com addresses. In digging through the few of these that get past the Spamhaus XBL and my local list, the latest example shows these headers:

Return-Path: creechalyse(_at_)verizon(_dot_)net
Received: from adsl-67-126-181-243.dsl.lsan03.pacbell.net ([67.126.181.243] verified)
  by sc1.scconsult.com (Stalker SMTP Server 1.8b9d14)
with SMTP id S.0000673452 for <bill(_at_)scconsult(_dot_)com>; Wed, 08 Sep 2004 21:05:55 -0400

I find it extremely unlikely that Verizon is ever going to create a SPF record including an LA dynamically-assigned DSL address owned by SBC.

More likely is that the spammers using zombies will follow the Atriks example and create DNS records in their own domains pointing at their hijack victim machines.

The trick to handle that is not obvious, but works great in a reactive way: don't let your MTA resolve names served by the slimeballs.

--
Bill Cole
bill(_at_)scconsult(_dot_)com


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg