Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

SPF and viruses

From: Dave Farber <dave () farber net>
Date: Wed, 18 Feb 2004 15:53:00 -0500

Delivered-To: dfarber+ () ux13 sp cs cmu edu
Date: Wed, 18 Feb 2004 15:18:58 -0500
From: Meng Weng Wong <mengwong () dumbo pobox com>
Subject: SPF and viruses
To: Dave Farber <dave () farber net>

On Wed, Feb 18, 2004 at 01:49:54PM -0500, Dave Farber wrote:
| Please be aware that a new mass-mailing worm is out in the wild and will
| likely be hitting our community soon. This virus is called
| W32.Netsky.B.  Along with propogation through mail, it spoofs e-mail
| addresses and exploits mapped network drives.

Since IP last discussed SPF, thousands more domains have published SPF
records.  Over 7000 domains that have announced they are publishing.
They include:

  AOL.com
  Altavista.com
  DynDNS.org
  eOnline.com
  GNU.org
  google.com
  LiveJournal.com
  MotleyFool.com
  OReilly.com
  Oxford.ac.uk
  PairNIC.com
  Perl.org
  PhilZimmermann.com
  SAP.com
  Symantec.com
  Ticketmaster.com
  w3.org

On the receiving end, many people have reported that they are
successfully catching forged virus attempts.  In my personal spambox
folder I have:
Received-SPF: fail (majesty.pobox.com: domain of miltonnolanvk () koys de does not designate 218.53.219.199 as permitted sender) Received-SPF: fail (majesty.pobox.com: domain of matthias.bayer () 12move de does not designate 24.244.154.12 as permitted sender) Received-SPF: fail (majesty.pobox.com: domain of v22iui () altavista com does not designate 212.81.112.114 as permitted sender) Received-SPF: fail (icicle.pobox.com: domain of fabrydank_erhopfe6524995 () check1check com does not designate 68.64.136.92 as permitted sender) 

This stuff is actually working!

Now, there are two parts to sender authentication.  The return-path
needs to be protected from joe-jobs --- a virus forges your name and you
get all the bounces.  And the headers need to be protected from
phishing, so if a message appears to be From: service () paypal com you
know it really is.

On the web, https shows up as a little padlock in your web browser.
Doing the same for email is tremendously valuable.  Banks care a lot
about this.  That's why many authentication proposals focus on phishing.

But it's also very important to protect the return-path.  In the past
month I'm sure we've all spent a lot of time deleting bogus virus
bounces.  This is the problem SPF tries to solve.

When IP discussed SPF last month, Steven Bellovin posted a lengthy
critique.  I want to thank him for spending his valuable time
contributing feedback.  Recent versions of the draft have incorporated
his suggestions --- we now have seven return codes, up from the previous
four, and the Received-SPF field is now more structured.

The total number of domains covered by SPF is actually much, much higher
than 7000.  That number comes from self-reporting.  The true number is
higher because many domain-parking services have set up a blanket "this
domain sends no mail" rule.  Thanks to them, the total number of domains
covered by SPF is in the six-digit range.

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
 http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: