Re: [spf-discuss] SPF, DKIM, and NIH

Ian Eiloart wrote:

--On 16 October 2009 14:27:28 -0700 David MacQuigg<macquigg(_at_)ece(_dot_)arizona(_dot_)edu> wrote:
OK, I think I understand now what you mean by "sender".  Sender
(individual author) addresses are worthless to identify bad senders.
See above.
That's simply not my experience. I've seen spear phishing attacksfrom
gmail accounts that are listed on blacklists. The blacklisting of
sender addresses does have value to me.
I wasn't aware of any blacklists of individual sender addresses. Iwould
like to give it a try.  Where can I find one?
<http://www.scamnailer.info/> has a script that will updatespamassassin or clamav configurations with a list of about 14kaddresses that have been used for scamming. I think the S/A rulesgeneralises from those addresses a little.
I'm having a hard time believing this actually works. Of the spamhitting your receiver, what percent is rejected by finding a *bad*individual sender address on the scamnailer list?
I've seen successful spear phishing attacks that would have failed ifwe'd implemented this check at the time. The proportion doesn't muchmatter. It's the harm avoided that matters.

"Would have" is not enough. Too many websites like this are sellingsnake oil. Let us know when you have some actual experience using aproduct or service.

Effectiveness (percent rejected) does matter. Even if the product werefree, the install and admin costs would need to be justified by morethan one remarkable instance. With spam and phishing, the game isnumbers. Criminals get about one in 12 million "click through". Goodanti-spam services get well over 99% blocking. A technique that blocksless than 1% is not worth considering.

It just doesn't make sense that a spammer with an unlimited supply of
free unknown addresses would continue using a specific individual sender
address that is known worldwide as "bad".  Why not just switch to the
next "unknown" name.  Unknown is always better than definitely bad.
Phishers seem to spend quite a significant amount of effort obtainingaddresses with good reputation. For example, I've seen an exchange ofemails with a sceptical user, wondering why "we" were asking her forher password when she'd seen our anti-phishing posters. The phishersaid "yes, I know, but in this case we really need it." After a fewexchanges, she gave up her password.

Some users are beyond help. They need a bad experience to learn how torecognize phishing. In fact, I would argue that getting rid of *all*phishing would lead to less frequent, but more serious problems. Weneed at least a few "fire drills" to keep users alert.

I've seen academic accounts used for spamming, for a period of severalweeks. Usually, such sites will stamp on abuse quite quickly, but notalways. It's well worth having an infrastructure that's capable ofpunishing the account without harming the business relationship thatrelies on. In fact, I'd welcome an infrastructure that couldeffectively turn off one of my accounts without getting me out of bed- provided it was free of false positives. I'd certainly prefer it tohaving my domain switched off.

Just keep the domain owner informed as you lower their reputation, andthe good ones will take care of the problem promptly. There is no needto "switch off" a domain. Once their reputation has dropped from A toC, it can stay that way forever. C is the same as unknown. All mailfrom unknown domains can be processed by your normal spam filteringsetup, and sorted into a quarantine, depending on the spam score of themessage.


-- Dave



-------------------------------------------
Sender Policy Framework: http://www.openspf.org [http://www.openspf.org]
Modify Your Subscription: http://www.listbox.com/member/ 
[http://www.listbox.com/member/]

Archives: https://www.listbox.com/member/archive/735/=now
RSS Feed: https://www.listbox.com/member/archive/rss/735/
Powered by Listbox: http://www.listbox.com