I've been seeing more and more zombie spam that is coming from the client computer using an address on their ISP, and sent through the ISP's mail server. I'm not seeing a lot of it, but it is most definitely happening.
It's my belief that they are doing this in order to degrade the effectiveness of spam traps by getting ISP mail servers listed. There is certainly evidence of that in both SORBS and FIVETEN. Before it was generally things like ISP gateways used only for forwarding E-mail, like AT&T's gateways which seem perma-listed in some RBL's, but now that trend is growing. I think that DSBLMULTI also suffers from this by marking the ISP's servers as multi-hop open relays for accepting E-mail from their own customers. I would imagine that SMTP Auth might mitigate this, but that's not generally how ISP's work. Spammers know that the safest IP is a big ISP mailserver's IP, because if you block that, you are primarily blocking legitimate traffic, and therefore it will avoid RBL detection for the most part.
So despite the issues with human nature where individuals can post whatever blocks they want for SPF, and as has occurred, those blocks have been utilized unknowingly which listed client computer addresses on broadband and dial-up service providers, there are also issues with zombies relaying E-mail through legitimate mail hosts, and this could become a much bigger problem (I expect it to).
Am I missing something here? Could SPF not only be ill advised, but also detrimental as a whole? Inquiring minds want to know.
Matt
Bill Landry wrote:
AOL has signed on to SPF, and as a result I have seen a huge jump in the pass/fail entries in my spf.log today associated with aol.com addresses. Also, Postfix will be adding support for SPF in its soon to be released 2.1 version. These kind of things will certainly accelerate SPF adoption.
Bill
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
