Fridrik Skulason wrote:
[snipped discussion of worms]
This is exactly why the group is reviewing it. Keep it up.
Now, an observation:
During the Sobig.F outbreak we collected data on which machines were
responsible for sending out the viruses. It turned out that the vast
majority of analysed samples were from privately owned PCs with an
ASDL or broadband connection. This is what one would have expected
anyhow - corporate machines are generally better protected and less
likely to be compromised and machines with only a (slow) modem
connection would send out fewer messages than the ones with a fast
connection.
The relevance to spam is that this is presumably the same group of
machines as spammers using compromised machines would be interested in.
I raised the point of comparing this to simple port 25 blocking, but
someone else brought that up as well, so I have no further questions
regarding that.
However, MTA MARK got me thinking about one issue regarding LMAP
(which, by the way seems to be mis-spelled as LAMP in one or two places
in the LMAP document).
The misspellings occur in:
4.1.10 Requirement 2.10, Single Solution
4.1.11 Requirement 2.11, Technical Rather Than Legislative
If I understand LMAP correctly, you can get basically 3 possible
answers:
"This machine is authorized to send mail from my domain."
"This machine is not authorized to send mail from my domain."
"No LMAP data available."
Those are correct.
(somebody please correct me if I am wrong). Now, the MTA MARK proposal
made me realize that the "not authorized" includes two separate
scenarios, which might require different reactions:
"This is one of my machines, but it is not authorized to send mail
from my domain" - this result would typically indicate a compromised
machine - either trying to send out worms or spam.
"This is not one of my machines, and therefore it is not authorized
to send mail from my domain" - this result would either indicate
a forgery or perhaps a "roaming salesman" instance.
What I don't quite see is how LMAP would distinguish between those two
cases - or if it can indeed do so. Clarification, anyone?
There is no need or reason to distinguish, unless you want to talk about
informing the sender that their machines are trying to send unauthorized
mail. That's orthogonal to the protocol's narrowly defined goal of
preventing domain forgery.
If someone wants to report such abuse, they are quite able to look up the IP
in {ARIN, RIPE, etc} and find the appropriate address to send that message to.
Philip Miller
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg