The spam message in this case did not originate from any client or host under
my control. It did not transit via any of my mail relays. It was a forgery - it
spoofed my email address in the From header, and unfortunately happened to
match it up with a To header addressing an IETF mailing list to which I'm
subscribed.
Yeah, this is a new trend, crooks harvest address books and then do
(from,to) pairwise spamming to take advantage of the common trick of
whitelisting addresses in the recipient's address book.
If you're seeing a lot of forgery, SPF, DKIM, and DMARC will help
somewhat, but since DMARC famously can't tell the difference between
forged spam and mailing lists, I wouldn't turn on any DMARC policies.
History suggests that in a while the bad guys will buy a new spam list and
your bounces will drop back to normal. FWIW I've been using my iecc.com
address since 1993 and my taugh.com address since 2002, both have been
scraped out the wazoo but with normal filtering both remain quite usable.
Otherwise the only fix that I can imagine is for the IETF to start
opportunistically filtering list message submissions based on DMARC,
SPF, and DKIM, as well as performing sender rewriting in the list
software. Like most things, I imagine the subscribers on this list have
opinions about this - and I'd be glad to hear them.
Given that we've seen only one or two spams of this sort leak through, I'm
not inclined to do anything about it. An interesting thing to do would be
to instrument the mail, do the various DNSBL, SPF, DKIM, and DMARC checks
on incoming mail and log the results in the message headers. Then we can
gather data to tell us what would happen if we used them to filter.
On my smallish system, I use a few conservative DNSBLs to block mail,
which knocks out about 2/3 of it, then SPF and DKIM as part of the
spamassassin score. I check DMARC but don't do anything beyond logging it
except for a handful of high risk domains like paypal.com where DMARC
failure almost always means phish.
Regards,
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.