Re: CRIME Citibank e-mail scam

From: Joe St Sauver (JOE@private)
Date: Mon Mar 01 2004 - 12:35:20 PST

Next message: Buelna, Derek: "CRIME Half-Open Syn"

Previous message: Longbottom Inquiries: "RE: CRIME Citibank e-mail scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi Andrew,

#Fred Langa performed an interesting experiment to see just how much of a
#problem this is for your legitimate email traffic. His methodology was a
#little flawed, but the results were interesting nonetheless.

Based on what I read in Fred's article, I think he did a number of things
that increased the probability his mail would end up getting filtered; among
the most notable is the fact that freetune.com appears to be its own mail 
exchanger, and that's fine, *except* for the fact that 66.48.80.21 appears 
to lack a valid in-addr/PTR record. That will hurt deliverability quite a 
bit. 

Having a from address that includes "free" is also worth a minimum of a 
point and a half to folks using the default SpamAssassin rulesets 
(remember, freetune.com was the domain he used); see:
http://spamassassin.rediris.es/tests.html for a list of other tests that
may have triggered filtering for his mailing. 

He also picked an unfortunate Subject: line text, "Hello", since a number 
of viruses also use subject lines such as "Hello" and some sites filter 
traffic with that Subject: line (for example, Penn State was doing this -- 
see: http://live.psu.edu/story/5558 ).

I suspect that there were other characteristics to his mail that also ended
up tripping content-oriented filters, but I couldn't do more than speculate 
w/o actually seeing specimens of his mailings.

What I find interesting/amusing is that:

-- Fred doesn't "get it" that content based filters are a far bigger issue
   than DNSBLs

-- because of the concentration of email accounts, 40% non-delivery may
   simply be a function of getting blocked by half a dozen of the largest
   ISPs or a couple of the largest filtering appliance companies (such as 
   Brightmail). 

-- some of his problem may be OUTBOUND mail back TO HIM that got filtered,
   rather than mail FROM him getting filtered; his success rate is thus
   really a joint probability function that depends on TWO messages being
   successfully delivered (and I bet you that a LOT of people DID just
   hit reply, regardless of his instructions).

Regards,

Joe

Next message: Buelna, Derek: "CRIME Half-Open Syn"
Previous message: Longbottom Inquiries: "RE: CRIME Citibank e-mail scam"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Mar 01 2004 - 13:51:20 PST