[Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
Kelson
kelson at speed.net
Tue Sep 7 18:06:56 EDT 2004
Jeff Rife wrote:
> They aren't quick enough. "Throwaway domain" now means "lifetime of
> several hours".
My logs say otherwise: 88% of messages that SpamAssassin labeled this
week have included SURBL hits.
At least for websites, they seem to be fast enough.
Meanwhile, spammers have to buy multiple domain names every day. I
wonder how much overhead that adds?
> SpamAssassin has tests for bad Message-IDs, Message-IDs added by a
> relay, "Received" headers that don't look kosher, MUA identifiers that
> aren't right, etc. They don't catch everything, but they often add
> enough score to push things into the "just discard it" category.
How does that help if the message-IDs, MUA IDs, etc. all look valid?
If someone produces a spam run using software that generates its headers
well, so it claims to be (for example) Outlook with the correct
identifier, has the right Message ID pattern, etc., then uses a
(relatively) obscure forged return address*, what existing mechanisms
are there to determine that the address on the message has been forged?
* By which I mean one that doesn't show up frequently enough for
anti-spam vendors to look for it - i.e. not AOL, Yahoo, PayPal, etc.
On a related note, for anyone who's interested, here's another article
on SPF and reputation systems:
http://story.news.yahoo.com/news?tmpl=story2&u=/zd/20040907/tc_zd/134784
Don't just read the headline, read the whole article. It might give you
a slightly different perspective on the issue.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list