spf-discuss
[Top] [All Lists]

Re: Unified SPF Algorithm (was: moving on from MARID)

2004-10-01 04:35:49
Len Conrad wrote:

Do you have any evidence that this is taking place?
My impression is that such dictionary attacks for address harvesting may
have been a tactic in the late 90's, but the volume of spam today seems
to
be running completely open loop, with spammers not bothering to check
which
names are delivered/rejected, not cleaning their databases, but just
sending volumes blindly.

No I have no evidence that this is still happening, but I have seen
evidence from Apache James users that it has been seen in the past couple
of years.

And, even if there is address harvesting taking place, since when is
having
the address of a valid recipient sufficient for delivery?

It may be sufficient for someone to sell a list of valid addresses, if they
are used by someone else who, as an unknown new participant, can get
messages past checks.

It is not my experience that there are many cases of spatter-gun spam
attacks on domains.

The Apache James server doesn't reject based upon RCPT TO, but won't
attempt to deliver the mail either, it is a blackhole for spam.
It passes all the public tests for open-relays we've tried it against, and
we have had very very few reports of mail being targeted against James to
unknown users.
What we see is spam targeted against real users, and as James doesn't imply
real addresses by rejecting RCPT TO they must have been culled from
elsewhere.

The point is that if we do encourage explicit rejection of RCPT TO we
enable this harvesting.
All that I'm suggesting is that we wait for all three of HELO/EHLO, MAIL
FROM and RCPT TO before rejecting with a generic "service unavailable" to
cover fails in _any_ of the three rather than explicitly reject "unknown
user" in response to RCPT TO.

In the end I don't think this is a big issue, but I had 2c so I thought I'd
share them.

d.


***************************************************************************
The information in this e-mail is confidential and for use by the addressee(s) 
only. If you are not the intended recipient (or responsible for delivery of the 
message to the intended recipient) please notify us immediately on 0141 306 
2050 and delete the message from your computer. You may not copy or forward it 
or use or disclose its contents to any other person. As Internet communications 
are capable of data corruption Student Loans Company Limited does not accept 
any  responsibility for changes made to this message after it was sent. For 
this reason it may be inappropriate to rely on advice or opinions contained in 
an e-mail without obtaining written confirmation of it. Neither Student Loans 
Company Limited or the sender accepts any liability or responsibility for 
viruses as it is your responsibility to scan attachments (if any). Opinions and 
views expressed in this e-mail are those o
 f the sender and may not reflect the opinions and views of The Student Loans 
Company Limit
 ed.

This footnote also confirms that this email message has been swept for the 
presence of computer viruses.

**************************************************************************


<Prev in Thread] Current Thread [Next in Thread>