At 4:04 PM -0500 12/5/04, Michael Kaplan imposed structure on a
stream of electrons, yielding:
[...]
There seems to be some concern that this system will effectively
'Joe Job' innocent people. I don't see the clear incentive for
spammers to do this - why not just use a forged address?
As a somewhat tangential note, I think 'joe job' is a bit overbroad
in this context. Its origin was a very conscious, intentional,
targeted, and successful attempt to smear a hosting provider who had
kicked the particular spammer off of his service. That sort of attack
is pretty rare.
What is very common is simple random forgery of working addresses.
I'm not convinced that most spammers have thought this through well,
but at this point I think most of them have figured out that the
envelope sender's domain had best be resolvable to a plausible path
for mail delivery, because it is very easy to reject mail without
that. More recently some unwisely managed mail systems (such as
Verizon's) have taken up the dangerous practice of blocking inbound
SMTP sessions while they confirm that the offered envelope sender is
acceptable to a machine that would have to accept mail for it. This
sort of ill considered 'verification' has led to an environment
where using fully bogus addresses is somewhat less functional than
using fully functional ones, but the last thing that the low-end
spammers want to do is provide their own working addresses.
I don't
personally know anyone who was Joe jobbed. Is this that common?
In the random forgery sense, it is extremely common. However, the way
most forged-sender spam is send and rejected these days pretty well
hides the extent of that problem from most users, because most of the
spam that is rejected is rejected in SMTP at the exterior MX for the
target domain, and only the spammer's own SMTP engine sees the
rejection, not some real SMTP client that will bounce the rejected
message. There are still a lot of exceptions to that in absolute
numbers, but not so much that most people whose addresses have been
forged will ever know about it.
The idea that ANY email address which is actually used can be kept
secret from all spammers is fundamentally flawed. As long as people
are dumb enough to use Windows and other people continue to mail
them, email addresses will leak to spammers, because the low end of
the spammer genus has effectively become one with the swarm of
malware authors who prove daily how bad MS-ware really is.
Also if spammers know your address then you can solve the problem by
activating my system and using a sub-address.
There's no need to use a system with an intrinsically abusive C/R
aspect and/or the text-hostile CAPTCHA model to use tagged addresses.
For example, I'm on my 4th special address used only for posting to
this mailing list. The prior 3 all have had spam (and malware)
directed at them as a result of what appear to be innocent fools
reading this mailing list.
--
Bill Cole
bill(_at_)scconsult(_dot_)com
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg