Mailing List Archive

Alan,

I noticed the same with me too. It's less than half.

Katie

-----Original Message-----
From: Alan Clifford [mailto:lists@clifford.ac]
Sent: Tuesday, August 31, 2004 11:29 AM
To: spf-help@v2.listbox.com
Subject: [spf-help] Is it coincidence?


A rhetorical question. Really an observation. Has SPF reduced the false
bounces?

My domain has been "joe jobbed" so I have been receiving lots of bounces for
emails that I didn't send. I had to switch off the wild card for my domain
and the following grep of the log identifies the the "don't accept"
message I put in Sendmail.

Four weeks ago, I received 18,052 attempts to send mail to non-existent
users. Last week, I received 6,400. This week, after three days, it is
only 228.


[alan@mundungus alan]$ su -c "grep -cie "spam.*try.*alan"
/var/log/maillo*"
Password:
/var/log/maillog:228
/var/log/maillog.1:6411
/var/log/maillog.2:11221
/var/log/maillog.3:14466
/var/log/maillog.4:18052



--
Alan


( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

It is possible that our domains are not being spoofed
as much. One of my domains was listed as the "first"
host in a multihop email. What I suspect was the real
host to send the spam was the second. Was this your
observation also?

--
Steve

On Tue, 31 Aug 2004, Katie DeCosta wrote:

> Alan,
>
> I noticed the same with me too. It's less than half.
>
> Katie
>
> -----Original Message-----
> From: Alan Clifford [mailto:lists@clifford.ac]
> Sent: Tuesday, August 31, 2004 11:29 AM
> To: spf-help@v2.listbox.com
> Subject: [spf-help] Is it coincidence?
>
>
> A rhetorical question. Really an observation. Has SPF reduced the false
> bounces?
>
> My domain has been "joe jobbed" so I have been receiving lots of bounces for
> emails that I didn't send. I had to switch off the wild card for my domain
> and the following grep of the log identifies the the "don't accept"
> message I put in Sendmail.
>
> Four weeks ago, I received 18,052 attempts to send mail to non-existent
> users. Last week, I received 6,400. This week, after three days, it is
> only 228.
>
>
> [alan@mundungus alan]$ su -c "grep -cie "spam.*try.*alan"
> /var/log/maillo*"
> Password:
> /var/log/maillog:228
> /var/log/maillog.1:6411
> /var/log/maillog.2:11221
> /var/log/maillog.3:14466
> /var/log/maillog.4:18052
>
>
>
> --
> Alan
>
>
> ( Please do not email me AS WELL as replying to the list. Please
> address personal email to alan+1@ as lists@ is not read. A
> password autoresponder may be invoked if this email is very old. )
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your
> subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Well, it could be if someone is using your domain as their spoof because
in SPF implementations the mail gets denied if it fails SPF check, so as
the spammer sends out emails to domains that check your SPF they will
drop the connection at SMTP, not process it and then NDR it.

-----Original Message-----
From: owner-spf-help@v2.listbox.com
[mailto:owner-spf-help@v2.listbox.com] On Behalf Of Alan Clifford
Sent: Tuesday, August 31, 2004 5:29 PM
To: spf-help@v2.listbox.com
Subject: [spf-help] Is it coincidence?


A rhetorical question. Really an observation. Has SPF reduced the
false bounces?

My domain has been "joe jobbed" so I have been receiving lots of bounces
for emails that I didn't send. I had to switch off the wild card for my
domain and the following grep of the log identifies the the "don't
accept"
message I put in Sendmail.

Four weeks ago, I received 18,052 attempts to send mail to non-existent
users. Last week, I received 6,400. This week, after three days, it is
only 228.


[alan@mundungus alan]$ su -c "grep -cie "spam.*try.*alan"
/var/log/maillo*"
Password:
/var/log/maillog:228
/var/log/maillog.1:6411
/var/log/maillog.2:11221
/var/log/maillog.3:14466
/var/log/maillog.4:18052



--
Alan


( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com


--------------------------------------------------------------------------------
This email is intended only for the named recipents. All email is monitored and archived for compliance requirements.
The views or context in this message may not reflect the view or context of the company.
--------------------------------------------------------------------------------



-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

At 22:28 +0100 31.08.2004, Alan Clifford wrote:
>A rhetorical question. Really an observation. Has SPF reduced the false
>bounces?
>
>My domain has been "joe jobbed" ... Four weeks ago, I received
>18,052 attempts to send mail to non-existent users. Last week, I
>received 6,400. This week, after three days, it is only 228.

I think it's probably coincidence.

A pharmacy spammer with a large number of domains on Hanaro and
CHINANET-CQ took to forging addresses at two of my domains. The
pattern was that I'd see a flurry of bounces for a few days, then
nothing, then a new burst.

My guess is that the selection of domains is random and done on a
per-batch basis. It could simply be that your spammer has moved on to
abusing other domains. It could even be that whatever ratware he's
using actually has a 'Fetch domains to forge' option: perhaps for his
first runs, he had only collected a small pool of domains to fake but
as the weeks went by his ratware gradually accumulated a bigger set,
making it less likely that yours would be drawn out of the hat.

Incidentally, I set up SPF records for one of my domains but not the
other (I'm the only user at the first domain; by contrast, the second
has a number of users who quote addresses at that domain in their
'From:' lines but use their own SMTP gateways, making it harder to
set up SPF records that cover all the possible hosts they might use).
If forge-bounces from the first domain had dropped to nothing while
continuing to arrive for the second one, then I'd have to concede
that you were right and that SPF did play a part. As it is, both have
dropped to nothing for the moment, so it's hard to draw any real
conclusions.

My guess, however, would be that it has more to do with the random
choices made by the spammer's ratware than with SPF records.

It would be ironic though if it turned out that spammers were among
the early adopters of SPF, deploying SPF-aware software long before
the ISPs. ;-)

Angus
--
Business: http://www.nomadcode.com/ Personal: http://www.raingod.com/angus/
Political: http://www.gollum2004.com/ Weblog: http://www.disoriented.net/

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Tue, 31 Aug 2004, Angus McIntyre wrote:

AM>
AM> My guess, however, would be that it has more to do with the random
AM> choices made by the spammer's ratware than with SPF records.
AM>
AM> It would be ironic though if it turned out that spammers were among
AM> the early adopters of SPF, deploying SPF-aware software long before
AM> the ISPs. ;-)
AM>

Ha, it wouldn't surprise me at all that the spammers were more inovative
than ISPs


--
Alan


( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Sorry for the late reply. I was getting hijacked
on a few domains that were not really in use, so to
get back at the spammers, I just deleted the zone
files for those domains. I have not checked recently,
but I know my sendmail rejects e-mails where the
sender's domain does not exist.

Too bad that the latest hijack that htey did was
against my Sister's commecial web site :-(
--
Steve

On Tue, 31 Aug 2004, Angus McIntyre wrote:

> At 22:28 +0100 31.08.2004, Alan Clifford wrote:
> >A rhetorical question. Really an observation. Has SPF reduced the false
> >bounces?
> >
> >My domain has been "joe jobbed" ... Four weeks ago, I received
> >18,052 attempts to send mail to non-existent users. Last week, I
> >received 6,400. This week, after three days, it is only 228.
>
> I think it's probably coincidence.
>
> A pharmacy spammer with a large number of domains on Hanaro and
> CHINANET-CQ took to forging addresses at two of my domains. The
> pattern was that I'd see a flurry of bounces for a few days, then
> nothing, then a new burst.
>
> My guess is that the selection of domains is random and done on a
> per-batch basis. It could simply be that your spammer has moved on to
> abusing other domains. It could even be that whatever ratware he's
> using actually has a 'Fetch domains to forge' option: perhaps for his
> first runs, he had only collected a small pool of domains to fake but
> as the weeks went by his ratware gradually accumulated a bigger set,
> making it less likely that yours would be drawn out of the hat.
>
> Incidentally, I set up SPF records for one of my domains but not the
> other (I'm the only user at the first domain; by contrast, the second
> has a number of users who quote addresses at that domain in their
> 'From:' lines but use their own SMTP gateways, making it harder to
> set up SPF records that cover all the possible hosts they might use).
> If forge-bounces from the first domain had dropped to nothing while
> continuing to arrive for the second one, then I'd have to concede
> that you were right and that SPF did play a part. As it is, both have
> dropped to nothing for the moment, so it's hard to draw any real
> conclusions.
>
> My guess, however, would be that it has more to do with the random
> choices made by the spammer's ratware than with SPF records.
>
> It would be ironic though if it turned out that spammers were among
> the early adopters of SPF, deploying SPF-aware software long before
> the ISPs. ;-)
>
> Angus
> --
> Business: http://www.nomadcode.com/ Personal: http://www.raingod.com/angus/
> Political: http://www.gollum2004.com/ Weblog: http://www.disoriented.net/
>
> -------
> Archives at http://archives.listbox.com/spf-help/current/
> Donate! http://spf.pobox.com/donations.html
> To unsubscribe, change your address, or temporarily deactivate your subscription,
> please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com
>

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

Alan Clifford wrote:

> A rhetorical question.

A real answer: Same here (1000 vs. 0 per day). Bye, Frank


-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com

On Fri, 10 Sep 2004, Frank Ellermann wrote:

FE> Alan Clifford wrote:
FE>
FE> > A rhetorical question.
FE>
FE> A real answer: Same here (1000 vs. 0 per day). Bye, Frank
FE>
FE>

Having read articles over the past couple of days that the spammers have
adopted SPF, then I guess that it is a coincidence. It is not my SPF that
has had the effect but, maybe, it is the adoption of SPF by spammers to
legitimize mail that has caused them to abandon my domain for their
spamming. With the result that I don't get the 18000 false bounces per
week. Pure speculation of course.

Interestingly, hits on my name server for the non-positive SPF matches has
decreased from 256 the week before last to 16 last week (although I guess
that dns caching means that these figures lower than reality).

--
Alan

( Please do not email me AS WELL as replying to the list. Please
address personal email to alan+1@ as lists@ is not read. A
password autoresponder may be invoked if this email is very old. )

-------
Archives at http://archives.listbox.com/spf-help/current/
Donate! http://spf.pobox.com/donations.html
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-help@v2.listbox.com