Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
--On Tuesday, January 31, 2006 10:54 -0500 [EMAIL PROTECTED] wrote: But wouldn't it be in Microsoft's best interest to prevent their servers from being used to spam? Tangent inspired by the above question: Consider this host, which sends mail from Microsoft employees: Received: from smtphost1.microsoft.com ([131.107.3.116]) by mx.gmail.com with ESMTP id 8si3854684wrl.2006.01.27.18.04.33; Fri, 27 Jan 2006 18:04:33 -0800 (PST) No reverse DNS. HELO smtphost1.microsoft.com, but that's the name of 131.107.1.101. So, it looks like scam mail supposedly from Microsoft. But 131.107.3.116 is in their _spf-a.microsoft.com SPF record. Oh, I get it. We use SPF or our filter misfires. Pretty risky stance for them to take with their own employees' mail. Joseph Brennan Columbia University Information Technology ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
On Tue, 2006-01-31 at 09:54, David F. Skoll wrote: > > It would seem that they would see high levels of traffic coming from bots > > that they could throttle/reject. > > I wouldn't be surprised if more sophisticated bots use zombie networks to > log on to Hotmail and send mail via their Web interface. I think it would > be pretty hard to notice an anomaly against all their regular traffic. They may be learning to distribute the load across a large number of hosts to keep it low enough to stay undetected. I've noticed something similar with ssh dictionary attacks for a while. Any newly exposed address is hit fairly quickly but only gets a few attempts per hour. -- Les Mikesell [EMAIL PROTECTED] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
[EMAIL PROTECTED] wrote: > But wouldn't it be in Microsoft's best interest to prevent their servers > from being used to spam? Maybe, but how would they do it? Hotmail must have over 60 million subscribers. Their outgoing mail volume has to be on the order of a billion a day. Filtering that volume of e-mail, or even examining it for trends, poses some pretty extreme technical difficulties. > Even from the economic standpoint of reducing the load/number of > servers required. It's a heck of a lot cheaper to relay a billion messages than to filter them. > It would seem that they would see high levels of traffic coming from bots > that they could throttle/reject. I wouldn't be surprised if more sophisticated bots use zombie networks to log on to Hotmail and send mail via their Web interface. I think it would be pretty hard to notice an anomaly against all their regular traffic. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
DFS wrote on 01/31/2006 09:57:58 AM: > Replying to myself... > > I think the reason lots of spammers are abusing Hotmail is this > note in our incident report: > > SPF query returned 'pass' But wouldn't it be in Microsoft's best interest to prevent their servers from being used to spam? Even from the economic standpoint of reducing the load/number of servers required. Not to mention protecting their reputation? Run outbound mail through the same tests they use for MSN, or isn't filtering that very good? It would seem that they would see high levels of traffic coming from bots that they could throttle/reject. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Why so much Hotmail spam lately (was Re: [Mimedefang] Adding support for learning our addresses)
Replying to myself... I think the reason lots of spammers are abusing Hotmail is this note in our incident report: SPF query returned 'pass' Hotmail publishes SPF records, and I guess spammers hope that a "pass" will help their mail get through. I've evolved my thinking on SPF so I use it as follows: - For domains that I do not control, I add 5 points for "fail" and 2 for "softfail". I never subtract points; I think it's highly dangerous to subtract points unless you control the domain. - For domains that I do control, I subtract 2 points for "pass". I don't add points for fail or softfail, though I guess that wouldn't be dangerous. Regards, David. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
