On Mon, 13 Sep 2004, Sauer, Damon wrote:
[snip]
Going back to my spam examination where you are examining a spam
message: Suppose the IP address in the received from header no
longer matches the SPF records: In this case you don't know if
your SPF check passed because DNS records were spoofed, or if the
real DNS records were changed. All you know is that you got a
spam from a certain IP address. You don't know whether it was
forged or not.
So the IP address changes- So does the SPF record. The two should not be
out of sync. This is an administrative issue.
I don't think you read my message. I'm analyzing the case where they are
either out of sync (above) and in sync (below). In either case, you
cannot make any decision based on SPF records.
Suppose the IP address in the received header does match the SPF
records. You don't know if the abuser signed up for an account
with that domain, or if they got an infected machine under that
domain. You don't know whether the nameserver was cracked, and
incorrect records added. Most people can't tell the difference
between a poisoned DNS cache and whether the records really come
from an authoritative nameserver or even figure out where they got
the DNS record from. So, similarly, all you really know is that
you got a spam from a certain IP address.
That is not at ALL what it means. What it means is: It failed. It must
and will fail. Just because the SPF record belongs to a spammer and the
SPF check doesn't fail DOES NOT mean that SPF failed. It means it
SUCCEEDED.
You've yet to explain this---wait, thats how this thread started--and
that claim is bogus, given that we've come full circle.
They already do this. Every day. You seem to be saying that
AOL sends no spam, and has no spammers, no viruses, no stolen
accounts???
This is a very low percentage of spam and killable using other methods.
Well, my experience is that such spam is nearly the entire spamload, and
is not easilly 'killable by other methods', but more importantly, is not
killable by THIS method.
If indeed you do work for Bell South, I expect you must know that viruses
are sending significant amounts of spam. Are you really speaking from
direct experience?
I note that you wrote this notion as an admin for Bell South.
Has Bell South been able to clean spammers out of Bell
South? Or clean virus infections out of Bell South? Or make
it impossible for Bell South users to get viruses, worms,
etc? Or do they just whack them as the find them?
Or is this just another "blind faith" that you //think// will happen?
If you've found some special immunity from spammers/viruses/worms,
then I think you should share that. //That// would be far more
valuable than SPF. If we could prevent spammers/viruses/worms then we
wouldn't need anti-spam tools at all.
My opinions in this discussion group have always been, and always will
be, my own. I delete my 'official' signature before I send any email to
this group. If I wished to make an 'official' comment, it would be
marked as such. Most people here know who I am and what I do. This lends
itself to my credibility in a technical discussion, as I have direct,
volumetric, and personal experience in direct relation to the issues. I
hope you will understand why I believe the above is completely
inappropriate and request that my employer not be brought into the
discussion.
Well, you should only say things that you know from experience, then.
And you should avoid suggesting that somehow Bell South or //anyone else//
has some magic bullet that prevents spammers from signing up for their
services, or prevent viruses from infecting their users.
http://www1.ietf.org/mail-archive/web/asrg/current/msg00334.html
=========================================================================
As someone who has blocked over 1.1 billion spam messages last year at
49.8tb, I have come up with a few things that I would like to see
discussed or implemented in some fashion.
I call it "Spam herding", the migration of spammers off of legitimate
ISP's and networks, to more "rogue" networks and ISP's. Once there, they
can be penned, trapped and killed. (skinning is preferred by me)
If they don't do it already, legitimate ISP's should close port 25. Route
all SMTP traffic through their own servers and staff their abuse
departments with enough people empowered to take direct and immediate
action in spamming issues and in a timely fashion.
ISP's should track credit cards. If an account is disabled for abuse
(investigated and found to have merit) this credit card should be flagged
by the ISP. All accounts established and/or associated with this card
disabled and no further orders from this card should be taken.
Charge for overuse of SMTP, over a certain level, for commercial email.
Want to send 100,000 commercial emails? Charge a penny a piece over
10,000. This will not hurt list-serves as they are not commercial in
nature and John Q. Public wont send 100,000 emails in his life.
If you want to send legitimate commercial email, it is a value add
service and should be charged for accordingly.
=========================================================================
I note that this entire message is very self-confident, and seems like it
has some technical experience, but is extremely flawed:
1) I already discredited the spam-herding notion.
2) Can't block port 25. Perhaps residential ISPs can. But again, their
user has relay services by the ISP. Those relay services continue until
the account is canceled. Abusers can use those relay services, too.
3) Credit card tracking is probably already done, but credit card services
exists to provide 'per-use' credit cards. Plus, there are 30,000 ISPs
where the card can be used. So a single credit card has a long lifetime in
spammer disposable accounts. (even completely ignoring pink contracts)
4) Usage accounting for SMTP is hard. People have in fact tried it. Its
hard to keep the stats without slowing down email. However, a large stable
of virus infected machines can send a lot of spam at low rates from each
machine.
5) None of this prevents disposable accounts or stolen accounts.