[Mimedefang] Spammers - was Re: md_check_against_smtp_server and md_graphdefang_log

David F. Skoll dfs at roaringpenguin.com
Wed Mar 27 09:49:24 EDT 2013

On Tue, 26 Mar 2013 23:14:15 -0700 (PDT)
kd6lvw at yahoo.com wrote:

> 1)  When a spammer uses SPF, recipients KNOW the spammer domains and
> servers and automatically block them.

Eventually.  But when spammers register domains and throw them away
after a few hours' use, it can be difficult to keep up.

> Such is most effective with a shared reporting namespace of spammers
> (like spamhaus or spamcop).  Unless they're registering domains with
> stolen credit cards, burning alot of domains like that is going to
> get expensive, even with the cheapest registration services.

Spam gangs sell spam software and time on botnets to suckers.  If you're
charging someone a few hundred bucks to do a spam run, adding $6 for domain
name registration doesn't significantly affect the economics.

> 2)  Spammers seem to be avoiding spoofing domains that have proper
> SPF records set up,

That's not my feeling.  Taking a look at a couple of hours' worth of
data from one of our scanners, we see:

SPF Pass:
18531 accepted as ham
14622 considered spam

so the correlation between SPF "pass" and non-spam is very mild indeed.

SPF Softfail:
1243 accepted as ham
1343 considered spam

Again quite mild correlation.

SPF Fail:
 68 accepted as ham
553 considered spam

Better correlation, but still a significant FP rate if we outright
rejected SPF Fail mail.

Furthermore, if we look at some of the SPF Fails, we see things like this
(obfuscated to protect the guilty):

2013-03-27T08:30:48.487010-04:00 colo4 CanIt[22686]:
r2RCUlQB029099: what=accepted, stream=user at example.com,
realm=example-com, country_code=NL, linktype=Ethernet or modem,
nrcpts=1, os=Linux, osver=2.6.x, prob=0.0001, relay=x.y.z.a,
score=4.9, sender=NOCInfo at example.org,
subject=Scheduled Task Endpoint Security Scan - Completed

That's from a network monitoring system that sends (by default) from
the domain of the system manufacturer.  Since most people don't bother
changing defaults, millions of these alert mails go out every day and
fail SPF.

Welcome to the IT industry... a giant pile of fail.



More information about the MIMEDefang mailing list