Re: [Asrg] SPF is only useful to dupe the ignorant...

[Bill Cole <grsa at billmail.scconsult.com>]

At 3:43 PM -0400 9/10/04, Barry Shein wrote:
> Spammers no longer use static domains, and they haven't for years.

Some still do, but they are untouched by SPF anyway.

> Spammers us ZOMBIE PCs.

Yes, and those are quite hard to get into SPF records.

> These are virus-infected PCs which let spammers do whatever they like
> with them, such as cause those PCs to send out millions of e-mail
> messages.
>
> So, you get an e-mail from viagra at adsl-24-73-19-222.att.net and it's
> SPF OK.

Why would AT&T create an SPF record for that name?

The more common scenario NOW is that the mail is offered with an 
envelope sender in some other domain. For many months one persistent 
zombie spammer seemed fixated on using msn.com addresses. In digging 
through the few of these that get past the Spamhaus XBL and my local 
list, the latest example shows these headers:

Return-Path: creechalyse at verizon.net
Received: from adsl-67-126-181-243.dsl.lsan03.pacbell.net 
([67.126.181.243] verified)
  by sc1.scconsult.com (Stalker SMTP Server 1.8b9d14)
  with SMTP id S.0000673452 for <bill at scconsult.com>; Wed, 08 Sep 
2004 21:05:55 -0400

I find it extremely unlikely that Verizon is ever going to create a 
SPF record including an LA dynamically-assigned DSL address owned by 
SBC.

More likely is that the spammers using zombies will follow the Atriks 
example and create DNS records in their own domains pointing at their 
hijack victim machines.

The trick to handle that is not obvious, but works great in a 
reactive way: don't let your MTA resolve names served by the 
slimeballs.

--
Bill Cole
bill at scconsult.com


_______________________________________________
Asrg mailing list
Asrg at ietf.org
https://www1.ietf.org/mailman/listinfo/asrg