[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Asrg] Some data on the validity of MAIL FROM addresses

To: Kee Hinckley <nazgul@somewhere.com>
Subject: Re: [Asrg] Some data on the validity of MAIL FROM addresses
From: Fred Bacon <bacon@aerodyne.com>
Date: 18 May 2003 12:56:42 -0400
Cc: asrg@ietf.org
In-reply-to: <p06001254baeb12ff775c@[192.168.1.104]>
List-archive: <https://www1.ietf.org/pipermail/asrg/>
List-help: <mailto:asrg-request@ietf.org?subject=help>
List-id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-post: <mailto:asrg@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>,<mailto:asrg-request@ietf.org?subject=unsubscribe>
Organization: Aerodyne Research, Inc.
References: <p06001254baeb12ff775c@[192.168.1.104]>
Sender: asrg-admin@ietf.org

On Sun, 2003-05-18 at 03:34, Kee Hinckley wrote:
> Vernon has regularly made the claim that a significant proportion of 
> spam messages have valid MAIL FROM's.  That means that bounces will 
> go the the spammer.  This has significant ramifications for C/R 
> systems (especially auto-respond ones) since it means that should 
> they have to, spammers could respond to challenges.
> 
> To test this theory, I took a day's worth of bounce logs from 
> somewhere.com (2003-05-15).  These should be fairly normal logs. 
> There's been a bit of an upswing from a recent virus attack, but 
> otherwise these are pretty normal bounce logs for somewhere.com. 
> These are for addresses that do not, and have never, existed. 
> Because they got on the spammer's lists primarily because someone 
> entered the address on a web site, they get a mix of "true" spam and 
> just standard bulk mail.  However if they bulkmailers are doing their 
> job, those addresses should be removed fairly quickly.  If they 
> aren't removing on bounces--then they look and smell a lot like 
> spammers.

<snip>

> In general though, it appears that Vernon is correct.  If my sample 
> is representative, a large percentage of spam is coming from real 
> email addresses.
> 
> I'll be making this data (and hopefully live update's to it) 
> available on the web, hopefully in the next few days.

I nice idea, but what we really need is the script you used to analyze
your logs.  Then additional data can be collected at a variety of
locations.  

I realize that there are many on this list who find data collection to
be pointless, but Kee Hinckley has shown this to be incorrect.  Vernon
Schryver's assertions were useless (even if correct) without hard
evidence, and Kee's data is insufficient without wider deployment.

Likewise, Vernon's followup that Kee is analyzing a different statement
than Vernon asserted is a legitimate concern.  The data analysis
methodology should be publicly vetted to ensure that it is providing
meaningful and acurate data.

Paul, is it possible for the www.irtf.org/asrg website to host log
analysis tools?  This is directly applicable to the list of Work Items.

-- 
Fred Bacon <bacon@aerodyne.com>
Aerodyne Research, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: [Asrg] Some data on the validity of MAIL FROM addresses
  - From: Kee Hinckley

References:
- [Asrg] Some data on the validity of MAIL FROM addresses
  - From: Kee Hinckley

Prev by Date: RE: [Asrg] C/R Thoughts: Take 1
Next by Date: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Previous by thread: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Next by thread: Re: [Asrg] Some data on the validity of MAIL FROM addresses
Index(es):
- Date
- Thread