On 11-09-05 05:22 PM, John Levine wrote:
- Most "infected user" spam is designed from the very beginning to be
difficult or impossible to tell _who_ is infected.
This wouldn't be useful for bots, but I could see it for stolen
account spam. I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account. For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.
In my experience, it's not hard to tell the difference. With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.
In this class of spam, it's generally easy to figure out _where_ the
compromised user existed, and often easy to tell the IP by which it was
compromised, but seldom do you get a correct email address for the
phished account, or at least, not one that you could trust. That
applies for sendsafe style infections - the originating IP is a _bot_,
and the email is sent via AUTHSMTP (which usually doesn't nail the
From:). The provider can tell who it was. The recipient can't.
With the freemails, you usually don't get a reliable email address.
Except for that "breakin and spam contact list" variety. Which are
quite rare (but highly noticable when you see one).
Then there's another issue. How do you signal the DNSBL when the
compromise is fixed?
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg