RE: Backdoor not recognized by Kaspersky

["Larry Seltzer" <larry () larryseltzer com>]

> > SMTP auth does not help at all. A virus that delivers email via it's own SMTP engine
completely bypasses the end users ISP server(s). And if the recipient server does not
allow incoming mail from wherever it is presented from, then incoming mail will simply
be broken unless there is some sort of SPF. 

Yeah, exactly, that's the point. SMTP AUTH plus something like SPF/CID/DK would stop all
the existing worms from operating. Mail sent through their own engines would be rejected
by SPF/CID/DK. 

> > But, SPF, caller-ID, and Domain keys all have major unsolved issues with forwards,
aliases, corporate employees checking their work mail and needing to reply through their
home connection ISP, but with their company 'From: ' address and several other common
scenarios. Until their is universal adoption of some add on to SMTP, nobody can reject
all non-conforming mail safely. 

It's not hard to imagine the largest ISPs and large corps accepting it, at which point
it would become necessary for others to accept it or risk having their mail shut out. 

> > All implementations create a much greater load on DNS. 

Greater, yes. Much greater, I'm not so sure. Verisign doesn't think it's a substantial
extra load. The DNS data could very reasonably be cached.

> > The real issue is that their is no possible algorithmic solution to rejecting email
reliably based on any of its source, its content, or any combination. 

So SPF/CID/DK don't work? They reject based on domain

> > If the mail is not accepted, laws prohibit silently discarding it. 

I've never heard this before. What law?

Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
larryseltzer () ziffdavis com 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html