[Mimedefang] OT but interesting hopefully - Spammers embrace email authentication
Kelson
kelson at speed.net
Tue Sep 7 20:38:40 EDT 2004
Jeff Rife wrote:
> In the future,
> though, it'll get worse as more and more servers think a good SPF
> record but no listing on a blacklist means "OK". As that happens,
> expect even faster turnaround on domain names.
Please read the article I linked to, then address this point again.
Anyone who thinks "SPF Pass" is supposed to mean "Not Spam" hasn't been
paying attention.
>>How does that help if the message-IDs, MUA IDs, etc. all look valid?
>
> The point is that they *don't* because they *aren't*.
And the natural evolution of spam against systems that detect invalid
headers is to make them look valid.
> You can do what
> you want to fake "Received" headers, but my server knows who you really
> are, and adds enough info to allow SpamAssassin to figure out that the
> trail is fake. Same with Message-IDs when SA can figure out the MTAs
> being used.
I'm not talking about fake headers, I'm talking about real headers, or
at least fake headers that are consistent.
Suppose that you get a message claiming to be from speed.net. Suppose
it's actually been sent using Outlook, or Eudora, or something that
imitates it well enough that all the headers are typical of "real" mail.
Now, how can you tell whether it's really from speed.net or not?
Sure, you can look at the Received headers, but only if you know what
they're *supposed* to look like. If you've never seen mail from
speed.net before, and something comes from, say, smtp.popsite.net, you
have no way of knowing whether that's fake or legitimate. You can
guess, but you can't actually *know* unless I tell you somehow.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list