ram wrote:
On Wed, 2008-07-30 at 09:21 -0500, Ken A wrote:
Arvid Ephraim Picciani wrote:
On Wednesday 30 July 2008 00:55:50 mouss wrote:
Ken A wrote:
Can be a probe too. Accepting mail from that IP with that content says
something about your system. Spammers aren't stupid. They fingerprint us
just like we fingerprint them.
If I was a spammer, I don't see why I would probe you. I understand if
it's filter poisoning, but probing to see if the message will be
accepted is useless. they can just send their spam. if you reject it,
others will accept it, and some will read it, which is exactly what they
want to achieve.
No. Some spammers are a lot more clever then that.
Especialy if you sell lists, you usually make sure they are high quality.
This is a low volume probe. Propably to clean out harvested lists.
- They are probing for wrong addresses
(This is why returning 550 imho makes sense and greylisting does not)
- They are probing for backscatterer
All mails would have the same From address,envelope, and helo
of a compromised mailserver.
- They are probing for spamtraps.
Bigger ISPs can propably detect that best,
since the mails would have a pattern.
Of course there is always the posibility that the ratware is simply broken.
shit happens :P
Yes. And also, in any war, consider resource usage.
A simple example: Spammer at any given time may have access to a number
of DNSRBL listed bots, and a number of unlisted bots. With an
understanding of how ISP handles filtering based on a given DNSRBL,
spammer may choose a certain delivery pattern.
How does the spammer come to know his mail is delivered and not
quarantined / deleted / or spam tagged
If it's a yahoo, google or other freemail address, that's not too hard
to figure out, is it? If it's another email provider, who knows.. many
providers document their anti-spam approach, use very informative bounce
messages, or use easily identifiable products that have certain
behaviors. It certainly isn't possible to learn everything from a probe
email, but it's worth thinking about, imho. Of course we don't want to
give them any ideas either!
Ken
--
Ken Anderson
Pacific.Net
