On 05/06/2023 21:38, Kevin A. McGrail wrote:
Interesting question and discussion. I thought I would mention because the question of "is this spam?" comes up a lot, the Apache SpamAssassin project uses the litmus test of "consent" not "content". We really don't care what the content is of an email between two adults who consent to communicate. So scraping emails from mailing lists and using those addresses for any purpose even to send the cure to cancer, we would consider spam. If you have spamples showing this behavior, we can look at adding them to RBLs. LMK, KAM
This prompts me to raise an issue that I have been mulling over for a while, which I think of as IETF-facilitated SPAM.
It started some time ago, only happens on e-mail addresses with which I have subscribed to an IETF list and comprises a few messages every week. The messages are obviously SPAM (except to my ESP) - Subjects such as password expiring, request for quotation, storage 99.9% full, clear cache immediately, You have a new VMail and such like - and usually appear, almost identically, on more than one of the addresses I use for IETF work within a few hours. What makes them stand out is the 'From:' which has the same domain name as all of my e-mail addresses (btconnect.com) with a highly plausible local part (although I have not checked whether or not these are valid addresses since I suspect that that is what the attacker wants - they certainly look it).
As I say, they are obvously SPAM, except to my ISP (which classifies plenty of my mails as 'junk' several of which are, or should be, obviously not so).
I wonder if others see a similar pattern on the same or a different domain name. I assume that the attackers have subscribed to the IETF lists and are harvesting addresses but wonder at the use of the domain name in the SPAM.
The 'Received: from' are all of my ESP. Tom Petch
.
