On Jun 2, 2010, at 12:28 PM, Brett McDowell wrote:
On Jun 2, 2010, at 2:41 PM, Steve Atkins wrote:
Second...
steve$ host -t txt _adsp._domainkey.paypal.net
_adsp._domainkey.paypal.net has no TXT record
steve$ host -t txt paypal.net
paypal.net has no TXT record
... I wasn't going to mention it, but you brought it up. The MX for
paypal.net will also give a 2xx response to any RCPT TO in the paypal.net
domain.
...and I wasn't going to mention that I tried to work with you off-list to
get more information about your phish from paypal.net but you didn't respond.
If you get a chance, please do send that along.
I did[1].
It looks like your mailsystem is discarding email it shouldn't. There's a copy
at http://tupid.org/paypal1.txt if you can't find it.
It seems that paypal is not currently monitoring phishing, nor doing anything
to deter it, on 99.9% of the domains they own, so have no real idea of what
phishing is going on.
Pointing those thousand domains at a catch-all mailserver with a wildcard MX
and looking for bounces and spamfilter rejections might be a good way of
getting metrics about how phishers respond to domains being owned by paypal
over time. Those same metrics after adding SPF and ADSP records for those
domains over time would be interesting.
http://blog.wordtothewise.com/2010/05/how-to-disable-a-domain/ has some
examples of how to set those up.
That's the sort of data gathering I was suggesting you do, rather than just a
bald count of DNS queries, when I looked at the numbers for my mailbox.
(There's a copy of my raw data at http://tupid.org/paypal1.sql.txt if anyone is
interested in running their own model against it.)
(I'm not going to respond to the other misunderstandings unless someone really
wants me to. I'm guessing most people are long past tl;dr at this point.)
Cheers,
Steve
[1] May 28 13:54:47 fruitbat postfix/smtp[31990]: DA551814E6:
to=<bmcdowell(_at_)paypal(_dot_)com>, relay=gort.ebay.com[216.113.167.215]:25,
delay=0.74, delays=0.17/0/0.45/0.11, dsn=2.0.0, status=sent (250 ok: Message
769193797 accepted)
_______________________________________________
NOTE WELL: This list operates according to
http://mipassoc.org/dkim/ietf-list-rules.html