Groups | Search | Server Info | Keyboard shortcuts | Login | Register

Groups > comp.mail.misc > #860

Re: SPF? DKIM? spammers can do them too

From Ivan Shmakov <ivan@siamics.net>
Newsgroups comp.mail.misc, news.admin.net-abuse.email
Subject Re: SPF? DKIM? spammers can do them too
Date 2016-10-07 16:55 +0000
Organization A noiseless patient Spider
Message-ID <87twco6qvm.fsf@violet.siamics.net> (permalink)
References <87vax8xfdm.fsf@violet.siamics.net> <alpine.OSX.2.20.1610051855120.25085@mako.ath.cx>

Cross-posted to 2 groups.

Show all headers | View raw

>>>>> David Ritz <dritz@mindspring.com> writes:
>>>>> Ivan Shmakov <ivan@siamics.net> wrote:

	[Be warned of a few off-topic bits below.]

 > [ news.admin.net-abuse.email added to cross-post ]
 > [ alt.spam stripped as group only sees spam, spam, spam and more spam ]

	While I understand the evil of sending spam to a high S/N ratio
	group, the above seems to suggest there's something wrong with
	doing it the other way around.  Which is especially strange
	given that (a) n.a.n.email's own S/N doesn't seem all that high,
	and (b) alt.spam occasionally sees a legitimate message, too
	(say, news:o2avsbphgb19dna8fv03b9r79i3dh6qace@4ax.com.)

	(... And also (c) apparently, Aioe blocks crossposts to n.a.n.e;
	presumably due to ongoing abuse?)

 > [ alt.spam.sightings stripped as bogus (newgrouped by Jamie Baillie) ]
 > [ <ftp://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz> ]

	FTP is pretty much obsolete.  For one thing, requiring two
	TCP connections per "session" means trouble passing them through
	Tor, NAT, SOCKS, etc.  And having three separate transfer modes
	(at the least) doesn't help interoperability, either.

	That said, the same resource is available via HTTP, too:

    http://ftp.isc.org/pub/usenet/control/alt/alt.spam.sightings.gz

 > [ posted and mailed ]

	Why?

 >> To put it short, for about a month, I see a new kind of spam coming
 >> to (strangely) just one of my (many) mailboxes.  This one has
 >> DKIM-Signature: (and DomainKey-Signature:) headers in place, comes
 >> from domains with SPF and MX DNS records properly set up, and,
 >> overall, apart from its "unsolicited nature," looks just like
 >> legitimate email.  (IPs and MAIL FROM: data shown below.)

 > Neither SPF nor DKIM say anything about whether mail is unsolicited
 > and bulk.  These are forgery abatement measures.  The only things
 > which might be determined from SPF and DKIM is whether or not mail
 > originated via a sender allowed host; nothing more, nothing less.

	Yes.  Still, both somehow get advertised as "counter-spam"
	measures.

	Not that they fail to work that way: my logs have some
	occurrences of the SPF check yielding a "negative" result, thus
	allowing to reject the incoming message outright.  Looks like a
	must for the DNS domains not meant to be used for email at all.

	That said, being able to confirm that the message indeed comes
	from a genuine spam-only domain doesn't seem all that helpful.

[...]

 > Of those host I checked, which still resolve, most are listed by the
 > psbl.org, barracudacentral.org and/or uceprotect.net DNSbls, with a
 > smattering of SBLCSS (snowshoe) and Spamcop listings.  All indicate
 > the IP addresses you list are spam sources,

	ACK, thanks for the pointers.

 > where SPF and DKIM say that the sending domain is authorized to send
 > via these spammer controlled, dirty IP addresses.

	... For those interested, here's an update for this week.

2016W40	nzbhuf@sarvtb.ru [185.58.205.96]
	hlkkn@proteus-spb.ru [194.67.208.8]
	rerxboy@kaminfo.ru [193.124.176.209]
	jaqxujp@r-vl.ru [185.58.206.163]
	njlcyy@sab-moskau.ru [193.124.190.134]
	feud@taxi-five.ru [185.58.206.232]
	pslvslw@uralgsm.ru [185.117.155.168]
	yukl@nordmor.ru [193.124.181.229]
	rgmcmxo@whdent.ru [193.124.184.229]
	itely@whdent.ru [193.124.184.229]
	vdnu@02info.ru [185.87.49.127]
	mnweeg@agcher.ru [193.124.183.150]
	wdoet@fanabe.ru [193.124.181.9]

	FWIW, I hope that whatever software they use to distribute spam
	is /not/ parallelized.  That way, the failure of my MTA to
	produce any TCP response whatsoever (thanks to the plain -j DROP
	in the iptables' INPUT chain) would result in at least some 30 s
	delay (that is: their TCP connection timeout) before the next
	address in the list is tried.

-- 
FSF associate member #7257  58F8 0F47 53F5 2EB2 F6A5  8916 3013 B6A0 230E 334A

Back to comp.mail.misc | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-04 16:12 +0000
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-05 19:29 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-07 16:55 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:29 -0500
  Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 20:53 -0500
    Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-07 21:09 -0500
    Re: SPF? DKIM? spammers can do them too Ivan Shmakov <ivan@siamics.net> - 2016-10-14 17:50 +0000
      Re: SPF? DKIM? spammers can do them too David Ritz <dritz@mindspring.com> - 2016-10-14 15:21 -0500
        spam from MAROSNET (AS48666) networks Ivan Shmakov <ivan@siamics.net> - 2016-10-19 15:35 +0000
          spam from MAROSNET (AS48666) and GMHOST-NET (AS201094) networks Ivan Shmakov <ivan@siamics.net> - 2016-11-10 17:10 +0000

csiph-web