On Tue, Jul 27, 2004 at 07:04:18PM -0400, Larry Seltzer wrote:
It's worth pointing out, unless I'm mistaken, that the entire endemic
population of mail worms would fail under SPF. None of them would
authenticate because they all pick MAIL FROM addresses essentially at
random and then use built-in MTAs, none of which will be registered in
People have domains and use them. Modern viruses contruct new
sender/receiver address pairs by randomly mixing user and domain
parts of addresses they find anywhere on the infected host.
Only the DE zone has as of now 7,788,391 second level domains. Today
(21:52 GMT+2) there were 2038 new registrations.
Do you really seriously think that the mechanisms developed by this
group during the last five months will be deployed by a significant
part of the existing domains within the next 5 years?
I think it will take a really long time before the first virus or
worm will be rejected at SMTP level because of SPF or any similar
method and if it can't be caught before the DATA command it doesn't
make a difference, because then the message will be received and it
is probably cheaper to let the virus scanner catch it instead of
cruising the DNS, collect records and feed all this to a spam filter
for evaluation that classifies it then to a "maybe spam" folder, IF
the sender domain has deployed SPF or similar methods at all.
But as Phillip wrote the train is on the way and we'll see how many
will jump on it and how many will jump off and how many won't simply
care at all.
SpaceNet AG | Joseph-Dollinger-Bogen 14 | Fon: +49 (89) 32356-0
Research & Development | D-80807 Muenchen | Fax: +49 (89) 32356-299
"The security, stability and reliability of a computer system is reciprocally
proportional to the amount of vacuity between the ears of the admin"