sender-valid SMTP callbacks (Re: Does "tuxorama.com" sound familiar to anyone?)

[Justin Mason <jm...@jmason.org>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Matt Kettler writes:
> List Mail User wrote:
> > 	tuxorama.com does a SMTP probe for every posting to this list
> > and is one of the very few IPs I have firewalled off.  The probes seem
> > to always come from 81.169.185.26 (now they'll probably change IPs and I'll
> > have to block some other IP or range), so they, while irritating are very
> > easy to block.  Asking them to stop seems to result in them stopping for
> > a week or so, then beginning again.  They likely have one or more users
> > who subscribe to this list.
> 
> It's almost certainly someone who uses milter-sender. milter-sender does this
> dummy check before accepting mail. It's taking the "verify MX record of envelope
> sender" one step further and verifying the whole address.
> 
> I personally find them rather inoffensive, but then again, I don't find many
> things offensive that some of the right-wing admins go ballistic over.

Hey Matt --

fwiw, I find them pretty inoffensive in and of themselves; however, from a
game-theory point of view, their effects are lousy.

This, and other methods that attempt to fight spam by validating an email
address' validity, don't necessarily try to validate that the email was
*sent* by that address; just that the address exists.

As a result, it forces spammers to use valid From: and MAIL FROM addresses
in their spam.  The easiest source for those, for a spammer, is the address
list they're sending spam *to*.  As a result, the spam recipients now
get not just the spam itself, but also the "blowback" -- bounces, C/R
bounces, "you sent me a spam!" bounces etc.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFDqdVQMJF5cimLx9ARAk8+AJ9j7iFyzCwG8RD+u+1RiIVmWwDYwACbBAvn
VsH9aGWa7lPryzN+D7Glvu8=
=aywR
-----END PGP SIGNATURE-----

Re: sender-valid SMTP callbacks (Does "tuxorama.com" sound familiar to anyone?)

[Kai Schaetzl <ma...@conactive.com>]

Matt Kettler wrote on Wed, 21 Dec 2005 18:16:43 -0500:

> So I don't think this really changes much about spam, aside from perhaps 
> encouraging spammers to clean their lists.

Do they "clean" their lists? It seems to a certain point, yes. Although it 
just seems they push all the stuff out and don't even get notice of what is 
rejected. Over the past months I developed the impression that domains 
which just except "everything" (no "rejection-type" spam protection at MTA, 
catch-all alias) are attracting more spam and are more likely to be abused 
for joe-jobs than others. But this is only based on a few domains and may 
be coincidence.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: sender-valid SMTP callbacks (Re: Does "tuxorama.com" sound familiar to anyone?)

[Rick Macdougall <ri...@ummm-beer.com>]

Matt Kettler wrote:
> Realistically, most spam I get seems to be using addresses that are already in
> the spammer's database of "valid" email addresses. While I see a lot of viruses
> using dictionary based MAIL FROM addresses, I see very little spam doing this.
> 
> So I don't think this really changes much about spam, aside from perhaps
> encouraging spammers to clean their lists.

My system would disagree with you for the last 3 days :)

We've been under a constant bounce bombardment of bounced spams (from 
f*cking idiot admins who can't understand that you do not bounce after 
accepting, sorry for the language) where the majority of user names are 
roger[a-z][a-z]@example.com (where roger is any valid name).

We had one advance MX server that usually ran 32 connections out of 120 
and now we've had to bring on 3 additional servers all running 300 
connections and we've had to turn off SA processing because the incoming 
load is just too high.

I'd really like to take a bat to the knees of the spammer doing this AND 
the mail admins who bounce after accepting.

Just my $0.02

Rick

Re: sender-valid SMTP callbacks (Re: Does "tuxorama.com" sound familiar to anyone?)

[Matt Kettler <mk...@evi-inc.com>]

Justin Mason wrote:

> 
> Hey Matt --
> 
> fwiw, I find them pretty inoffensive in and of themselves; however, from a
> game-theory point of view, their effects are lousy.
> 
> This, and other methods that attempt to fight spam by validating an email
> address' validity, don't necessarily try to validate that the email was
> *sent* by that address; just that the address exists.

True.. I don't defend it as a particularly effective or valid method, but I also
am not bothered by empty connections checking to see if an address is deliverable.

Realistically, this is a very minor problem. Compared to the six-billion other
network abuse attempts I get here each week, these are very much in the noise.

It makes me wonder how closely such admins watch their systems. There's a lot
more worrisome stuff going on out there than this.

> As a result, it forces spammers to use valid From: and MAIL FROM addresses
> in their spam.  The easiest source for those, for a spammer, is the address
> list they're sending spam *to*.  As a result, the spam recipients now
> get not just the spam itself, but also the "blowback" -- bounces, C/R
> bounces, "you sent me a spam!" bounces etc.

Realistically, most spam I get seems to be using addresses that are already in
the spammer's database of "valid" email addresses. While I see a lot of viruses
using dictionary based MAIL FROM addresses, I see very little spam doing this.

So I don't think this really changes much about spam, aside from perhaps
encouraging spammers to clean their lists.