Text 594, 313 rader
Skriven 2004-09-14 16:37:52 av Rich (1:379/45)
Kommentar till text 587 av Geo. (1:379/45)
Ärende: Re: Spammers faster than the good guys....
==================================================
From: "Rich" <@>
This is a multi-part message in MIME format.
------=_NextPart_000_0038_01C49A79.2EA397D0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
You didn't even make any attempt to reply to my message. Try again =
this time explaining why it is beneficial for a spammer to behave as you =
suggest instead of the simpler alternatives that do not require this =
additional liability.
Rich
"Geo." <georger@nls.net> wrote in message news:41477891@w3.nls.net...
How do you figure? You think a spammer doesn't have a hundred domains =
that
can't be tracked back to him?
Rich, have you (in the past year or two) even tried to track down a =
spammer?
Ok example, pretend for a minute the MX points to you and you don't =
know the
owner and track down the bounces from doh@theyscrewedusagain.com and =
that's a
.COM, you should try it with a .INFO
Geo.
"Rich" <@> wrote in message news:4144aa77$1@w3.nls.net...
Again you make this silly suggestion. Why would a spammer do =
something like
this that provides a tracable record that is a legal liability for =
them. They
should just as easily have no MX record or an MX record that points to =
an
invalid IP. Both of which have the same effect of mail to their =
domain not
being deliverable which is all you claim they want. It's one thing to =
create a
liability by spammer for which they derive revenue. It's another to =
create one
which provides liability only.
Rich
"Geo." <georger@nls.net> wrote in message =
news:4144a563$1@w3.nls.net...
"John Beckett" <FirstnameSurname@compuserve.com.omit> wrote in =
message
news:4144309b.40375046@216.144.1.254...
> However, no one has given any hint of a reason why SPF won't =
reduce a lot
> of back-scatter.
Ok you want it explained, I can do that.
What is the reason backscatter exists? I mean why don't spammers use =
domains
from their unlimited supply of domains instead of pretending to be =
from
mike's
domain?
The reason is simple, many email servers have to accept an email for =
delivery
before they can run a spam filter on it. And for some reason many, =
once they
run a filter on it and decide it's spam they try to return it to the =
source
instead of just deleting it.
Now the spammers want to know if an address doesn't exist so they =
can keep
their lists up to date, but when a filter blocks spam that tells =
them nothing
about if the address exists or not so there is no value in accepting =
these
returns. In fact it's a waste of their bandwidth and cpu to even try =
to deal
with backscatter.
So they spam in a way that someone else has to deal with it. Up =
until SPF
that
was quite simple, they just use a different domain name for the FROM =
address.
Ok now along comes SPF, what do you think the spammers are going to =
accept
their own backscatter now? Hardly, all they are going to do is set =
the SPF
record for their domain to point to the source of their spam so it's =
accepted
like before and then set the MX record to point to some mail server =
where
they
can dump the backscatter. It's like hardly any extra work for them =
to do this
and all it costs them is a few DNS queries to DNS servers that are =
probably
hosted on compromised machines anyway.
What I'm saying is if SPF reaches a level of acceptance that it =
actually has
an
annoyance factor to the spammers, they can make a simple change to =
their
methods and SPF becomes meaningless as far as a solution for =
backscatter
Here this is how difficult it is:
Entries for a domain bytemyshorts.info
txt record "v=3Dspf1 ip4:1.1.1.1/1 ~all"
MX records point to
131.107.3.125
131.107.3.124
131.107.3.122
131.107.3.123
131.107.3.126
131.107.3.121
Ok I just defined half the planet as a possible source for my spam =
so using
all
my compromises hosts will be no problem and all my bounces are going =
back to
microsoft's mail servers just like I had used an @microsoft.com =
return email
address.
I can make the same entries for bytemyshorts1.info
thru bytemyshorts1000000.info
Now what protection has SPF provided for Microsoft? All I see is =
that it
protects the name "microsoft.com". It's a copyright/trademark =
protection
mechanism for high value domains and not much else. Nobody else can =
use
microsoft.com but beyond that it provides no significant protection =
of the
email system.
Geo.
------=_NextPart_000_0038_01C49A79.2EA397D0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.3790.186" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2> You didn't even make any =
attempt to=20
reply to my message. Try again this time explaining why it is =
beneficial=20
for a spammer to behave as you suggest instead of the simpler = alternatives
that=20
do not require this additional liability.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Rich</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"Geo." <<A =
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote=20
in message <A=20
=
href=3D"news:41477891@w3.nls.net">news:41477891@w3.nls.net</A>...</DIV>Ho=
w do=20
you figure? You think a spammer doesn't have a hundred domains =
that<BR>can't=20
be tracked back to him?<BR><BR>Rich, have you (in the past year or =
two) even=20
tried to track down a spammer?<BR><BR>Ok example, pretend for a minute =
the MX=20
points to you and you don't know the<BR>owner and track down the =
bounces from=20
<A =
href=3D"mailto:doh@theyscrewedusagain.com">doh@theyscrewedusagain.com</A>=
and=20
that's a<BR>.COM, you should try it with a =
.INFO<BR><BR>Geo.<BR><BR>"Rich"=20
<@> wrote in message <A=20
=
href=3D"news:4144aa77$1@w3.nls.net">news:4144aa77$1@w3.nls.net</A>...<BR>=
=20
Again you make this silly suggestion. Why would a spammer do =
something=20
like<BR>this that provides a tracable record that is a legal liability =
for=20
them. They<BR>should just as easily have no MX record or an MX =
record=20
that points to an<BR>invalid IP. Both of which have the same =
effect of=20
mail to their domain not<BR>being deliverable which is all you claim =
they=20
want. It's one thing to create a<BR>liability by spammer for =
which they=20
derive revenue. It's another to create one<BR>which provides =
liability=20
only.<BR><BR>Rich<BR><BR> "Geo." <<A=20
href=3D"mailto:georger@nls.net">georger@nls.net</A>> wrote in =
message <A=20
=
href=3D"news:4144a563$1@w3.nls.net">news:4144a563$1@w3.nls.net</A>...<BR>=
=20
"John Beckett" <<A=20
=
href=3D"mailto:FirstnameSurname@compuserve.com.omit">FirstnameSurname@com=
puserve.com.omit</A>>=20
wrote in message<BR> <A=20
=
href=3D"news:4144309b.40375046@216.144.1.254">news:4144309b.40375046@216.=
144.1.254</A>...<BR><BR> =20
> However, no one has given any hint of a reason why SPF won't =
reduce a=20
lot<BR> > of back-scatter.<BR><BR> Ok you want it =
explained, I=20
can do that.<BR><BR> What is the reason backscatter exists? I =
mean why=20
don't spammers use domains<BR> from their unlimited supply of =
domains=20
instead of pretending to be from<BR>mike's<BR> =
domain?<BR><BR> The=20
reason is simple, many email servers have to accept an email for=20
delivery<BR> before they can run a spam filter on it. And for =
some=20
reason many, once they<BR> run a filter on it and decide it's =
spam they=20
try to return it to the source<BR> instead of just deleting=20
it.<BR><BR> Now the spammers want to know if an address doesn't =
exist so=20
they can keep<BR> their lists up to date, but when a filter =
blocks spam=20
that tells them nothing<BR> about if the address exists or not =
so there=20
is no value in accepting these<BR> returns. In fact it's a waste =
of=20
their bandwidth and cpu to even try to deal<BR> with=20
backscatter.<BR><BR> So they spam in a way that someone else has =
to deal=20
with it. Up until SPF<BR>that<BR> was quite simple, they just =
use a=20
different domain name for the FROM address.<BR><BR> Ok now along =
comes=20
SPF, what do you think the spammers are going to accept<BR> =
their own=20
backscatter now? Hardly, all they are going to do is set the =
SPF<BR> =20
record for their domain to point to the source of their spam so it's=20
accepted<BR> like before and then set the MX record to point to =
some=20
mail server where<BR>they<BR> can dump the backscatter. It's =
like hardly=20
any extra work for them to do this<BR> and all it costs them is =
a few=20
DNS queries to DNS servers that are probably<BR> hosted on =
compromised=20
machines anyway.<BR><BR> What I'm saying is if SPF reaches a =
level of=20
acceptance that it actually has<BR>an<BR> annoyance factor to =
the=20
spammers, they can make a simple change to their<BR> methods and =
SPF=20
becomes meaningless as far as a solution for backscatter<BR><BR> =
Here=20
this is how difficult it is:<BR><BR> Entries for a domain=20
bytemyshorts.info<BR><BR> txt record "v=3Dspf1 ip4:1.1.1.1/1=20
~all"<BR> MX records point to<BR> 131.107.3.125<BR> =20
131.107.3.124<BR> 131.107.3.122<BR> =
131.107.3.123<BR> =20
131.107.3.126<BR> 131.107.3.121<BR><BR> Ok I just defined =
half the=20
planet as a possible source for my spam so using<BR>all<BR> my=20
compromises hosts will be no problem and all my bounces are going back =
to<BR> microsoft's mail servers just like I had used an =
@microsoft.com=20
return email<BR> address.<BR><BR> I can make the same =
entries for=20
bytemyshorts1.info<BR> thru =
bytemyshorts1000000.info<BR><BR> Now=20
what protection has SPF provided for Microsoft? All I see is that =
it<BR> =20
protects the name "microsoft.com". It's a copyright/trademark=20
protection<BR> mechanism for high value domains and not much =
else.=20
Nobody else can use<BR> microsoft.com but beyond that it =
provides no=20
significant protection of the<BR> email system.<BR><BR> =20
Geo.<BR><BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0038_01C49A79.2EA397D0--
--- BBBS/NT v4.01 Flag-5
* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45)
|