ietf-smtp
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Do the must 'bounce' rules need to be relaxed for virus infected

2004-03-26 20:06:45
from [Hector Santos] [Permanent Link] 


----- Original Message ----- 
From: "Arnt Gulbrandsen" <arnt(_at_)gulbrandsen(_dot_)priv(_dot_)no>
To: "Valdis Klētnieks" <Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu>
Cc: <ietf-smtp(_at_)mail(_dot_)imc(_dot_)org>
Sent: Friday, March 26, 2004 2:40 PM
Subject: Re: Do the must 'bounce' rules need to be relaxed for virus
infected


Oh, I see. Do they really look for that? What would a virus do?



  if valid address
    go on, try another
  else
    try another


<g>


I agree that a spammer could potentially use that information. But do
they?


Good question.  But I am almost given up on trying to "understand" the
spammer behavior.  I think the only relationship is that they many are
"working" together in some form or fashion.

But at a technical level, I don't think they are doing much to combat recent
antispam efforts.


I still see an unchanging volume of spam to addresses that have
been bouncing for four years or more, and that experience matches
everything I've heard.


And you can add me to this as well.   I had addresses since the 80s and
early 90s, then dropped them in 98/99 for spam abuse and I still see them
today.   People gets a mailing list and just pass (resell) on and on.  Its 1
or 2 million and whatever and they turn on the bulk mailer and let it go.

I agree. It is a red herring today that spammers use the response to
validate an address.  A) It is already in there database, and B) by saying
"250 user ok" is only going to put more weight on it.  Not less.  Even it is
seen to get no hits, it just get put on a different list and resold at a
less cost.  It does not look like they throw away the address.  No money in
that.


(in other words, the same information leak that closed EXPN and VRFY

down).


 Only a little more expensive.


The problem with these is that it can be used without authentication or
trust.

In all my accumulated logs for the past 5-7 months,  if I recall seeing 1
VRFY attempt, that would be a lot.

I think it can be brought back with some restrictions because:

a) Currently spammers are not using it,

b) I have a strong inclination that these spammers are more stupid than we
think.  They are not changing SMTP software to add smarts to combat recent
protocol level enforcement stuff.   What they are changing are the mail
content to fool the post SMTP filters and bayesian stuff.

-- 
Hector Santos, Santronics Software, Inc.
http://www.santronics.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Do the must 'bounce' rules need to be relaxed for virus infected, Hector Santos
Next by Date:  deferred RCPT responses, Eric A. Hall
Previous by Thread:  Re: Do the must 'bounce' rules need to be relaxed for virus infected, Arnt Gulbrandsen
Next by Thread:  Re: Do the must 'bounce' rules need to be relaxed for virus infected, Hector Santos
Indexes:  [Date] [Thread] [Top] [All Lists]