> On 11 Dec 2022, at 21:41, Michael Thomas <m...@mtcc.com> wrote: > > > > On 12/11/22 1:16 PM, Murray S. Kucherawy wrote: >> On Sun, Dec 11, 2022 at 1:11 PM Michael Thomas <m...@mtcc.com >> <mailto:m...@mtcc.com>> wrote: >> >>> As for resolution: the first obvious one is to not send spam in the first >>> place. That is the root of the problem. The second is that Bcc's can be >>> treated with more suspicion. Neither of these needs the working group to do >>> anything. >>> >>> >>> I think this is easier said than done. In the example I gave, "don't send >>> spam in the first place" reduces to "make sure your users are 100% >>> trustworthy or that your outbound spam filters are 100% accurate", which >>> strikes me as an impossible bar to meet. >> I'm going to assume that the attackers will need to iterate to find a piece >> of mail that passes their filters. That is signal right there that abuse is >> likely. Perhaps an exponential backoff could be employed when outbound spam >> is detected. Sort of like a 4xx "try later". >> >> That's easy to evade: Come from a rotating pool of IP addresses, using a new >> free account each time. > Sure. I guess the question is how much effort would spammers be willing to > expend before trying some other tactics?
Quite a bit, actually. I remember sitting in a 17th floor conference room on market street with a particular sending organization that explained to me their business model was to have a boiler room full of people iterating through content and trying to deliver it to their own mailbox at hotmail.com <http://hotmail.com/>. When they found text that got through, they sent that until the filters caught up, then moved onto the next piece of content. They started this at 5pm pacific time and would spam all night. They did this every day. That was 2007 or so (said company was sued into oblivion by the FTC not long after that conference room meeting). The amount of energy spammers expend to bypass filters is significant. That includes bypassing port25 blocks. For instance, I’m aware of a company using BGP routing tricks to host their outbound spam cannons on major cloud providers (that block port25 by default). The IPs are treated as throwaway and they burn and turn them when they get too blocked. > Can we even quantize what the value of, say, a signed gmail piece of email > is? I think that's a basic question that needs to be answered before we > declare this a problem. I for one am all ears as "DKIM gives you better > deliverability" has always been a sort of squishy statement. This is one of those questions that is, IMO, unanswerable for a lot of reasons. The biggest of which is: the value to whom? >> >> But the BCC aspect is interesting too. Don't providers already view things >> with massive rcpt-to (bcc's) suspiciously? hat's easy to evade: Send a spam >> message to yourself only. That has the signature. Now capture that from >> your inbox and replay it from a different server to any number of >> recipients, using any number of envelopes, to your heart's content. Won't >> pass SPF, but it passes DKIM. If the receiver values DKIM more, or only >> cares if one passes, you win >> > No, I mean that the if number of RCPT-TO's is large, it's suspicious. Even if > they do individual SMTP transactions it will have the same (signed) > Message-Id so that's not evadeable either in theory. > Interesting thought. laura -- The Delivery Experts Laura Atkins Word to the Wise la...@wordtothewise.com Email Delivery Blog: http://wordtothewise.com/blog
_______________________________________________ Ietf-dkim mailing list Ietf-dkim@ietf.org https://www.ietf.org/mailman/listinfo/ietf-dkim
