spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [spf-discuss] SPF, DKIM, and NIH

2009-10-19 05:16:54
from [Ian Eiloart] [Permanent Link]
--On 16 October 2009 14:27:28 -0700 David MacQuigg <macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote: 




<http://www.scamnailer.info/> has a script that will update
spamassassin or clamav configurations with a list of about 14k
addresses that have been used for scamming. I think the S/A rules
generalises from those addresses a little.


I'm having a hard time believing this actually works.  Of the spam
hitting your receiver, what percent is rejected by finding a *bad*
individual sender address on the scamnailer list?
I've seen successful spear phishing attacks that would have failed if we'd implemented this check at the time. The proportion doesn't much matter. It's the harm avoided that matters. 


It just doesn't make sense that a spammer with an unlimited supply of
free unknown addresses would continue using a specific individual sender
address that is known worldwide as "bad".  Why not just switch to the
next "unknown" name.  Unknown is always better than definitely bad.
Phishers seem to spend quite a significant amount of effort obtaining addresses with good reputation. For example, I've seen an exchange of emails with a sceptical user, wondering why "we" were asking her for her password when she'd seen our anti-phishing posters. The phisher said "yes, I know, but in this case we really need it." After a few exchanges, she gave up her password.
I've seen academic accounts used for spamming, for a period of several weeks. Usually, such sites will stamp on abuse quite quickly, but not always. It's well worth having an infrastructure that's capable of punishing the account without harming the business relationship that relies on. In fact, I'd welcome an infrastructure that could effectively turn off one of my accounts without getting me out of bed - provided it was free of false positives. I'd certainly prefer it to having my domain switched off. 


--
Ian Eiloart
IT Services, University of Sussex
01273-873148 x3148
For new support requests, see http://www.sussex.ac.uk/its/help/


-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Date:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Previous by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, Ian Eiloart
Next by Thread:  Re: [spf-discuss] SPF, DKIM, and NIH, David MacQuigg
Indexes:  [Date] [Thread] [Top] [All Lists]