ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Asrg] Re: Spammers probing for whitelisted addresses?

2006-01-28 08:45:36
from [Frank Ellermann] [Permanent Link] 
Douglas Campbell wrote:


b) two days ago, I added an SPF record to my DNS for the
affected domain.  The SPF record verified correct via
port25.com.
c) the average number of bounces has not decreased since
I added the SPF record.


Two days is a bit short.  In 2004 "my" spammer needed six
months to get the idea.  It was clearly one spammer, the
difference between zero and almost 1.000 bounces and other
backscatter is obvious.  For the first about 6 weeks I had
no FAIL, then it took me another six weeks to figure out
the "zone cut" stuff (never worked), and after that I guess
"my" spammer didn't know what the hell SPF FAIL is until he
tested the then new SA 3.

In 2005 he tried it again for two weeks.  I've reported all
back scatter via SpamCop, then it stopped.  Of course I'm
not sure that SPF FAIL had anything to do with it, spammy
didn't inform me about his strategy.


The bad part about this is that aol is still among the
bouncers, and they are the ones hosting the spammer's
portal pages!


AFAIK AOL ignores SPF FAIL, they're only using SPF PASS for
white-listing.  As it is draft-hutzler-spamops is toothtless,
"reject at the MDA" is too little too late.  "Implement and
support 2476bis" is fine, but rather short for a BCP.  IIRC
it doesn't recommend 2476bis 6.1 "enforce submission rights".


Obviously SPF validation must be made part of the top MTA
distributions and enabled by default

                    ^^^^^^^^^^^^^^^^^^
That's a dangerous idea.  You must know what you're doing if
you enable it.  You can only use it at your border MTAs, you
have to white list them if they talk with each other (normal
MX priority scheme as explained in RfC 2821), and you have to
make up your mind about the weird 1123 5.3.6(a) forwarding to
you from third parties.  Ignore them, white list them, talk
with them, whatever you do, it's more than only "enabled by
default".  Mininmally you'd know why you use (or don't use)
trusted-forwarders.org.


I'm trying to figure out the politics of this.


Have fun, it's an interesting story.  Technically it's more
on the simple side, but not as simple as "enabled by default".

                            Bye, Frank

SC's view:  <http://www.spamcop.net/fom-serve/cache/329.html>



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Asrg] Re: Spammers probing for whitelisted addresses?, Douglas Campbell
Next by Date:  Re: [Asrg] Re: Spammers probing for whitelisted addresses?, Daniel Feenberg
Previous by Thread:  [Asrg] Re: Spammers probing for whitelisted addresses?, Douglas Campbell
Next by Thread:  Re: [Asrg] Re: Spammers probing for whitelisted addresses?, Daniel Feenberg
Indexes:  [Date] [Thread] [Top] [All Lists]