spf-discuss
[Top] [All Lists]

Re: [spf-discuss] Can this really be true?

2005-09-24 01:46:10


Dick St.Peters wrote:
The real weakness I see is that large networks don't police
themselves.  In particular, much of the spam getting in here is sent
from MSN or Hotmail via hotmail.com mail relays.  It's all
authenticated mail - not authenticated with SMTP AUTH, but
authenticated nonetheless.

I would argue it is the exact opposite.  Large networks usually have very
tight security policies which wouldn't allow a virus/worm to execute in the
first place.


Those "tight security policies" don't do a thing to prevent spam being
sent from MSN and Hotmail via hotmail.com mail relays.  As an example,
the mail in my mailbox immediately preceding yours was a spam with
envelope from/"Return-Path:", "From:", "X-Originating-Email:", and
"X-Sender:" all being jomicool05(_at_)msn(_dot_)com(_dot_)  It was received 
here from
bay5-f4.bay5.hotmail.com [65.54.173.4], so it passed SPF.

MSN put on a header reading "X-Originating-IP: [195.166.237.40]", and
that IP is on the sbl-xbl.spamhaus.org, bl.spamcop.net,
cbl.abuseat.org, and dnsbl.sorbs.net blocklists.  Had the spam been
sent from that IP, my mail system would have rejected it.

So here we have a spammer who can't get his (or her) spam accepted due
to blocklisting getting it through by logging into an MSN account
(i.e., authenticating) and sending it from there, where it not only
can't be blocklisted, but it also passes SPF (and Sender-ID).

Which just re-inforces my concerns about ISP's cavalier attitudes to SMTP 
log-ins.


Extracted from the article at
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3551246

# 76% of all mail is spam
# 48% of the spam comes from zombies

# 8.7% of all mail comes from domains with an SPF record.
if 76% of this is spam, then 6.612% of all mail is spam from domains with SPF 
records.
and
# 83% of the mail from domains with an SPF record is spam
this gives 7.221% of all mail is spam from domains with SPF records.
Near enough the same - so the figures withstand a cursory check.

Given that hotmail and msn are probably two of the biggest sources of spam, including individual e-mails from them in the total will inevitably skew the result.

I have sent some feedback and asked for any figures on what %age of the SPF records involved belong to ISP's.




Spam sent this way is nearly the only spam I get, and it dominates the
spam reports sent by my users to my spam-reporting address.  They
don't like me just saying there's nothing I can do about, so now I
also tell them Microsoft authorized it.


             It's your small business networks with high speed internet
connections and some dumb ass giving every user admin rights on their
workstation that causes this problem.  Well, that and home users.


Those small business networks and home users all have upstream ISPs,
and those ISP should be policing their networks.  In other words, I do
not think those ISPs' "tight security policies" (which I'm unwilling
to grant even exist in many cases) are the end of their obligation to
prevent spam.  I don't tolerate my users spewing spam, whether or not
it's deliberate.

Agreed - I am currently looking at throttling my users SMTP sessions for bulk rates, and offering "bulk emailing services" as an extra, so that I will be able to have some control over the injection of larger amounts of e-mail into the system. If I can do it - as a really basic sysadmin - why on earth can the ISP's not do it? The answer is simple - they are afraid to lose customers, so we are not just fighting spam here, we're fighting commercial pressures. :-(

Slainte,
JohnP

-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription, please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com