On Jun 2, 2010, at 12:28 PM, Brett McDowell wrote: > > On Jun 2, 2010, at 2:41 PM, Steve Atkins wrote: > >> >> Second... >> >> steve$ host -t txt _adsp._domainkey.paypal.net >> _adsp._domainkey.paypal.net has no TXT record >> steve$ host -t txt paypal.net >> paypal.net has no TXT record >> >> ... I wasn't going to mention it, but you brought it up. The MX for >> paypal.net will also give a 2xx response to any RCPT TO in the paypal.net >> domain. > > ...and I wasn't going to mention that I tried to work with you off-list to > get more information about your phish from paypal.net but you didn't respond. > If you get a chance, please do send that along.
I did[1]. It looks like your mailsystem is discarding email it shouldn't. There's a copy at http://tupid.org/paypal1.txt if you can't find it. It seems that paypal is not currently monitoring phishing, nor doing anything to deter it, on 99.9% of the domains they own, so have no real idea of what phishing is going on. Pointing those thousand domains at a catch-all mailserver with a wildcard MX and looking for bounces and spamfilter rejections might be a good way of getting metrics about how phishers respond to domains being owned by paypal over time. Those same metrics after adding SPF and ADSP records for those domains over time would be interesting. http://blog.wordtothewise.com/2010/05/how-to-disable-a-domain/ has some examples of how to set those up. That's the sort of data gathering I was suggesting you do, rather than just a bald count of DNS queries, when I looked at the numbers for my mailbox. (There's a copy of my raw data at http://tupid.org/paypal1.sql.txt if anyone is interested in running their own model against it.) (I'm not going to respond to the other misunderstandings unless someone really wants me to. I'm guessing most people are long past tl;dr at this point.) Cheers, Steve [1] May 28 13:54:47 fruitbat postfix/smtp[31990]: DA551814E6: to=<[email protected]>, relay=gort.ebay.com[216.113.167.215]:25, delay=0.74, delays=0.17/0/0.45/0.11, dsn=2.0.0, status=sent (250 ok: Message 769193797 accepted) _______________________________________________ NOTE WELL: This list operates according to http://mipassoc.org/dkim/ietf-list-rules.html
