[IP] SPF and viruses

To: ip@xxxxxxxxxxxxxx
Subject: [IP] SPF and viruses
From: Dave Farber <dave@xxxxxxxxxx>
Date: Wed, 18 Feb 2004 15:53:00 -0500
List-help: <http://v2.listbox.com/doc/help_sub?list_name=ip@v2.listbox.com>
List-id: <ip@xxxxxxxxxxxxxx>
List-software: listbox.com v2.0
List-subscribe: <mailto:subscribe-ip@v2.listbox.com>, <http://v2.listbox.com/subscribe/?listname=ip@v2.listbox.com>
List-unsubscribe: <mailto:unsubscribe-ip@v2.listbox.com>, <http://v2.listbox.com/member/unsubscribe/?listname=ip@v2.listbox.com>
Reply-to: dave@xxxxxxxxxx
Sender: owner-ip@xxxxxxxxxxxxxx

Delivered-To: dfarber+@xxxxxxxxxxxxxxxxxx
Date: Wed, 18 Feb 2004 15:18:58 -0500
From: Meng Weng Wong <mengwong@xxxxxxxxxxxxxxx>
Subject: SPF and viruses
To: Dave Farber <dave@xxxxxxxxxx>

On Wed, Feb 18, 2004 at 01:49:54PM -0500, Dave Farber wrote:
| Please be aware that a new mass-mailing worm is out in the wild and will
| likely be hitting our community soon. This virus is called
| W32.Netsky.B.  Along with propogation through mail, it spoofs e-mail
| addresses and exploits mapped network drives.

Since IP last discussed SPF, thousands more domains have published SPF
records.  Over 7000 domains that have announced they are publishing.
They include:

  AOL.com
  Altavista.com
  DynDNS.org
  eOnline.com
  GNU.org
  google.com
  LiveJournal.com
  MotleyFool.com
  OReilly.com
  Oxford.ac.uk
  PairNIC.com
  Perl.org
  PhilZimmermann.com
  SAP.com
  Symantec.com
  Ticketmaster.com
  w3.org

On the receiving end, many people have reported that they are
successfully catching forged virus attempts.  In my personal spambox
folder I have:

Received-SPF: fail (majesty.pobox.com: domain of miltonnolanvk@xxxxxxxdoes not designate 218.53.219.199 as permitted sender)Received-SPF: fail (majesty.pobox.com: domain ofmatthias.bayer@xxxxxxxxx does not designate 24.244.154.12 as permitted sender)Received-SPF: fail (majesty.pobox.com: domain of v22iui@xxxxxxxxxxxxxdoes not designate 212.81.112.114 as permitted sender)Received-SPF: fail (icicle.pobox.com: domain offabrydank_erhopfe6524995@xxxxxxxxxxxxxxx does not designate 68.64.136.92 aspermitted sender)


This stuff is actually working!

Now, there are two parts to sender authentication.  The return-path
needs to be protected from joe-jobs --- a virus forges your name and you
get all the bounces.  And the headers need to be protected from
phishing, so if a message appears to be From: service@xxxxxxxxxx you
know it really is.

On the web, https shows up as a little padlock in your web browser.
Doing the same for email is tremendously valuable.  Banks care a lot
about this.  That's why many authentication proposals focus on phishing.

But it's also very important to protect the return-path.  In the past
month I'm sure we've all spent a lot of time deleting bogus virus
bounces.  This is the problem SPF tries to solve.

When IP discussed SPF last month, Steven Bellovin posted a lengthy
critique.  I want to thank him for spending his valuable time
contributing feedback.  Recent versions of the draft have incorporated
his suggestions --- we now have seven return codes, up from the previous
four, and the Received-SPF field is now more structured.

The total number of domains covered by SPF is actually much, much higher
than 7000.  That number comes from self-reporting.  The true number is
higher because many domain-parking services have set up a blanket "this
domain sends no mail" rule.  Thanks to them, the total number of domains
covered by SPF is in the six-digit range.

-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/

Prev by Date: [IP] Yet again and again (READ)
Next by Date: [IP] Scientists Accuse White House of Distorting Facts
Previous by thread: [IP] Yet again and again (READ)
Next by thread: [IP] Scientists Accuse White House of Distorting Facts
Index(es):
- Date
- Thread