Agree with your conclusion but your statement is not quite accurate. Some spammers have in fact developed schemes that involve spoofing the source IP address of TCP sessions, but only where both IP addresses were under spammer control. What some spammers used to do when dialup connections were still common and broadband rare is that they would use a dialup session as the purported source of the packets but really send the bulk of the message from a high speed connection. The dialup connection telling the high speed connection which sequence numbers to employ. I don't know if it is still widely used but when is was being used the disruption caused to the network was cosiderably higher than for normal spam as you can expect.
________________________________ From: [EMAIL PROTECTED] on behalf of Chris Lewis Sent: Tue 11/11/2008 4:47 PM Cc: IETF Subject: Re: IP-based reputation services vs. DNSBL (long) TS Glassey wrote: > Matthias > Any DNS BL Listing process where those listings are based on complaints > would create this. [spoofed IPs in DNSBLs] Few DNSBL listing processes rely on "complaints" as you put it. Certainly, none of the popular ones use them extensively, and most refuse them. Eg: the CBL explicitly refuses contributions of complaints. Most DNSBL listing processes rely _only_ on the peer address of the connection (either direct, or by header insertion by their own trusted systems). No-one has yet come up with a spam-economy-practical mechanism for spoofing source IP in TCP/IP (SMTP) sessions. There has been much research on the topic, and it all seems to indicate that there isn't one. I'll refer you to papers by Steven Bellovin, Marcus Leech and others. [UDP packet source IPs are trivially forgeable. But you can't send email by UDP packets. TCP/IP source IP is forgeable, but only at extremely high effort levels - few spammers would be satisfied with a throughput rate of a few spams per week (at most) per bot that works only against some destinations, when the return rate is measured in the single digits per million spams. If TCP/IP source spoofing were to become a spammer-practical method, the Internet has vastly bigger problems than flakey email.] The two most effective DNSBLs of all (CBL & PBL, both part of Spamhaus Zen) don't look at headers at all. The former takes its IPs directly from the TCP/IP stack of the MTA receiving the email (eg: getpeername()), and the latter is a policy assertion, largely by the verified owner of the IP ranges in question. IP spoofing is effectively impossible in one, and irrelevant to the second. _______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
_______________________________________________ Ietf mailing list [email protected] https://www.ietf.org/mailman/listinfo/ietf
