Ian Eiloart wrote, On 7/2/09 6:23 AM:
--On 1 July 2009 11:12:13 -0400 Dotzero <dotzero(_at_)gmail(_dot_)com> wrote:
On Wed, Jul 1, 2009 at 11:00 AM, John Leslie<john(_at_)jlc(_dot_)net> wrote:
That's closer... But I'd argue that no SPF construct "authorizes"
sending email. In practice, I think it's quite clear that SPF constructs
merely express probabilities.
What is the probability that you will receive legitimate email
originating from ibm.com?
ibm.com text = "v=spf1 -all"
Nil. They don't use the domain for outbound email. They use country
specific subdomains like @uk.ibm.com.
[...]
Exercise for the reader: why aren't spammers using the @ibm.com domain?
You provided the answer before the question.
Forged sender addresses are predominantly harvested rather than purely
invented or recombinantly assembled. Forged sender spam is mostly the
product of the blatantly criminal segment of spammers whose target lists are
largely harvested from the web, Usenet, and the address books of compromised
systems. In a world where there is a detectable fraction of sites making
some effort to validate senders to the point of SMTP callbacks, the most
economical approach for spammers forging the sender address is to just pull
sender addresses from the same list as targets.
I see this most clearly in blowback like the bounce AOL sent me this
morning. The original spam had been addressed to 'bill(_at_)aol(_dot_)com' with the
sender 'bill(_at_)scconsult(_dot_)com'. That's an address I've used in very public ways
for 15 years, making it a frequent spam target. 99%+ of the direct spam for
it I never see, particularly the flavors using forged senders, but nearly
all of the blowback I get for it is from spam aimed at alphabetically nearby
targets.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg