[Mimedefang] OT but interesting hopefully - Spammers embrace email authentication

[Jeff Rife]

On 7 Sep 2004 at 9:21, Kelson wrote:

> My point was not to compare SURBL to SPF, but to use SURBL as an
> example of how quickly anti-spam solutions can react to spammers
> setting up throwaway domains.

They aren't quick enough.  "Throwaway domain" now means "lifetime of 
several hours".  That's too quick for anything really accurate to keep 
up with.

>                                If SPF (or something similar) can
> tell you that the message definitely came from XYZ, and you have a
> list of spammers' domains that includes XYZ, bang, you know it's
> spam and you can kick it out before they finish sending the headers.

Again, knowing that "bad-domain.com" is bad really doesn't help you if 
there is *never* another message from that domain.  You never get to 
check against SPF records.

> You know, doing with domain names what we've been doing with IP
> addresses for years. 

One of the reasons that IP addresses work for these checks is that 
somebody other than the spammer controls them.  Anybody can just 
register a new domain, but to get connectivity, you must have an IP 
address, and that's limited by the providers you can use.

> As for current spam tests being able to detect forgeries, the only
> ones I know of focus on a few big names.  Do you know of any "current
> spam test" that can detect forged mail claiming to be from
> speed.net? 

SpamAssassin has tests for bad Message-IDs, Message-IDs added by a 
relay, "Received" headers that don't look kosher, MUA identifiers that 
aren't right, etc.  They don't catch everything, but they often add 
enough score to push things into the "just discard it" category.


--
Jeff Rife        |  
SPAM bait:       | 
http://www.nabs.net/Cartoons/Dilbert/LostPassword.gif 
AskDOJ at usdoj.gov |  
spam at ftc.gov     |