ietf-asrg
[Top] [All Lists]

Re: [Asrg] Blacklisting email accounts?

2011-09-06 00:18:26
On Mon, Sep 5, 2011 at 5:22 PM, John Levine <johnl(_at_)taugh(_dot_)com> wrote:

This wouldn't be useful for bots, but I could see it for stolen
account spam.  I get a surprising amount of it -- every day after I
send out the spam reports, I invariably get back several responses
from postmasters saying, sigh, another phished account.  For bot spam,
you can just block all mail from the IP, but for stolen accounts, the
system is OK, and it's just the one address that's spamming.

In my experience, it's not hard to tell the difference.  With stolen
accounts, the address matches the received lines, and the received
lines generally have a familiar from of a webmail or Exchange server.

This is exactly what I have seen. In each case, the hand-off MTA
matches their provider, so I know that their provider sent it to me. I
have seen AOL, Hotmail, Yahoo and Comcast. One is a neighbor who I no
longer converse with over email but I now her account is spamming me
(and the entire neighborhood) about sex sites. I can't see her doing
this on purpose :)

In most cases (>75%), it's from people who I have communicated with in
the past and now have no problems with blocking because I don't
communicate with them (over SMTP) currently and have no plans to do
so. If I (or any of the handful of users I MX for) ever did, I'd
remove the line from a text file and it's undone. But I get that there
would be scaling problems for other MXs;)

Chris' point about whether it was their account used to send the spam
is understandable - I brought up this idea assuming that there is a
pretty good indicator that the account has been owned (e.g. my
neighbor). I find it interesting that I would get mostly spam from
people who I have communicated with and not random FROM addresses on
whatever system has been owned (e.g. random comcast, aol, hotmail,
yahoo users).

I do wish that MSAs would mention the authenticated user that injected
the email. Even if authenticated != SMTP auth. I am sure that this
would have privacy implications.

RE Graeme's suggestion: Thanks much! I will have to compare against my
logs and see if any of these addresses have shown up.

-- 
HTH, YMMV, HANW :)

Jason

The path to enlightenment is /usr/bin/enlightenment.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg