[SLL] [Fwd: Delivery Status Notification (Failure)] - joe jobs

[Jules Agee]

Francois Caen wrote:
> On Tue, Feb 17, 2009 at 4:32 PM, Jules Agee <julesa at pcf.com> wrote:
>> I think spammers prefer to target non-SPF domains when spoofing
>> sender addresses.
>
> Is that wishful thinking, or something that has been measured?

Hi Francois,
It's an assumption based on the premise that spammers will behave in
ways that maximize their own self-interest.

Setting up SPF on a domain will reduce the number of MTAs that will
accept a message with a forged From: address in that domain, and will
therefore reduce backscatter by some amount > 0. I don't have hard
numbers on exactly how significant, but I know hotmail, gmail, yahoo,
AOL, and many other servers check for SPF.

Of the spammers who use forged addresses, there must be some number of
them who realize that they will significantly increase the amount of
successfully delivered spam if they choose to pretend they're in a
domain that doesn't have SPF configured. So those "smart" spoofing
spammers will try to reduce their cost and increase their effectiveness
by choosing domains that have not been configured with SPF.

I don't know whether it's been measured, or how effective it is. All I
have is my own anecdotal experience. I haven't been joe jobbed since I
set up SPF on the domains I'm responsible for.

Of course, for all I know spammers aren't joe jobbing people as much as
they used to, and one can't /always/ assume people will act in their own
best interest. Ever hear the joke about two economists walking down the
street? One says to the other: "Say, is that a hundred dollar bill in
the gutter?" The second economist replies: "It can't be. If it was,
someone would have picked it up already."

-Jules

-- 
Jules Agee
System Administrator
Pacific Coast Feather Co.
julesa at pcf.com      x284