Interesting People mailing list archives
SPF and viruses
From: Dave Farber <dave () farber net>
Date: Wed, 18 Feb 2004 15:53:00 -0500
Delivered-To: dfarber+ () ux13 sp cs cmu edu Date: Wed, 18 Feb 2004 15:18:58 -0500 From: Meng Weng Wong <mengwong () dumbo pobox com> Subject: SPF and viruses To: Dave Farber <dave () farber net> On Wed, Feb 18, 2004 at 01:49:54PM -0500, Dave Farber wrote: | Please be aware that a new mass-mailing worm is out in the wild and will | likely be hitting our community soon. This virus is called | W32.Netsky.B. Along with propogation through mail, it spoofs e-mail | addresses and exploits mapped network drives. Since IP last discussed SPF, thousands more domains have published SPF records. Over 7000 domains that have announced they are publishing. They include: AOL.com Altavista.com DynDNS.org eOnline.com GNU.org google.com LiveJournal.com MotleyFool.com OReilly.com Oxford.ac.uk PairNIC.com Perl.org PhilZimmermann.com SAP.com Symantec.com Ticketmaster.com w3.org On the receiving end, many people have reported that they are successfully catching forged virus attempts. In my personal spambox folder I have:Received-SPF: fail (majesty.pobox.com: domain of miltonnolanvk () koys de does not designate 218.53.219.199 as permitted sender) Received-SPF: fail (majesty.pobox.com: domain of matthias.bayer () 12move de does not designate 24.244.154.12 as permitted sender) Received-SPF: fail (majesty.pobox.com: domain of v22iui () altavista com does not designate 212.81.112.114 as permitted sender) Received-SPF: fail (icicle.pobox.com: domain of fabrydank_erhopfe6524995 () check1check com does not designate 68.64.136.92 as permitted sender)
This stuff is actually working! Now, there are two parts to sender authentication. The return-path needs to be protected from joe-jobs --- a virus forges your name and you get all the bounces. And the headers need to be protected from phishing, so if a message appears to be From: service () paypal com you know it really is. On the web, https shows up as a little padlock in your web browser. Doing the same for email is tremendously valuable. Banks care a lot about this. That's why many authentication proposals focus on phishing. But it's also very important to protect the return-path. In the past month I'm sure we've all spent a lot of time deleting bogus virus bounces. This is the problem SPF tries to solve. When IP discussed SPF last month, Steven Bellovin posted a lengthy critique. I want to thank him for spending his valuable time contributing feedback. Recent versions of the draft have incorporated his suggestions --- we now have seven return codes, up from the previous four, and the Received-SPF field is now more structured. The total number of domains covered by SPF is actually much, much higher than 7000. That number comes from self-reporting. The true number is higher because many domain-parking services have set up a blanket "this domain sends no mail" rule. Thanks to them, the total number of domains covered by SPF is in the six-digit range. ------------------------------------- You are subscribed as interesting-people () lists elistx com To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- SPF and viruses Dave Farber (Feb 18)