At 3:43 PM -0400 9/10/04, Barry Shein wrote:
Spammers no longer use static domains, and they haven't for years.
Some still do, but they are untouched by SPF anyway.
Spammers us ZOMBIE PCs.
Yes, and those are quite hard to get into SPF records.
These are virus-infected PCs which let spammers do whatever they like
with them, such as cause those PCs to send out millions of e-mail
messages.
So, you get an e-mail from viagra(_at_)adsl-24-73-19-222(_dot_)att(_dot_)net
and it's
SPF OK.
Why would AT&T create an SPF record for that name?
The more common scenario NOW is that the mail is offered with an
envelope sender in some other domain. For many months one persistent
zombie spammer seemed fixated on using msn.com addresses. In digging
through the few of these that get past the Spamhaus XBL and my local
list, the latest example shows these headers:
Return-Path: creechalyse(_at_)verizon(_dot_)net
Received: from adsl-67-126-181-243.dsl.lsan03.pacbell.net
([67.126.181.243] verified)
by sc1.scconsult.com (Stalker SMTP Server 1.8b9d14)
with SMTP id S.0000673452 for <bill(_at_)scconsult(_dot_)com>; Wed, 08 Sep
2004 21:05:55 -0400
I find it extremely unlikely that Verizon is ever going to create a
SPF record including an LA dynamically-assigned DSL address owned by
SBC.
More likely is that the spammers using zombies will follow the Atriks
example and create DNS records in their own domains pointing at their
hijack victim machines.
The trick to handle that is not obvious, but works great in a
reactive way: don't let your MTA resolve names served by the
slimeballs.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg