My own definition of "spam" is pretty broad, not just UCE, but pretty much
any unwanted crap in my mailbox. In particular that includes worms as
well as worm-generated bounces and other mail directly or indirectly
created as a result of computer worm activity.
As everyone probably knows, there is a pretty large outbreak going on
right now. According to our mail filters at http://aves.f-prot.com,
10.56% of all filtered E-mail contains W32/Sober(_dot_)J(_at_)mm(_dot_) In
addition,
there is a significant number of bounces as well.
According to my definition that is "spam" - and even those who prefer
a more narrow definition should at least agree that this is unsolicited
and unwanted.
I have said before that universal adoption of SPF would kill off the
current generation of worms (and that includes Sober.J) - however,
there are a few points worth noting.
* We (f-prot.com) published a SPF record, with -all. I am not going
discuss the possible problems with that policy, but we did evaluate
the advantages and disadvantages. Hopefully someone has rejected some
worms based on that policy - however, we are getting plenty of
"bounces" from domains that obviously have not implemented SPF
checking.
* Some of the domains that send us those bounces have published SPF
records, which indicates they are aware of SPF, but for one reason
or another they have decided not to implement SPF checking, so
they continue to cause problems for everyone else with those
bounces.
* In fact, it is irrelevant how many domains publish SPF records. Even
if every single domain had a record with "-all", it would not help
one bit with the bounces. The reason is of course that what really
matters is the number of domains that actually check SPF records and
reject and drop mails that fail.
* Even worse are the domains that do not bounce the message, but
analyze it and reply with a message like "MDaemon Warning - virus
found". Sending such messages is completely unacceptable behaviour.
Most "current generation" worms forge the sender's address, and
a mail filter that replies to the "From:" line with a warning
of this kind is worse than useless - it is a part of the problem,
not a part of the solution as it is generating spam (under my own
broad definition of "spam", as mentioned earlier).
So, the bottom line regarding worm-spam and SPF is:
* Publishing SPF records may reduce the number of worm bounce messages,
but that depends on the number of other domains checking the records.
* Doing SPF checking will block the vast majority of the worms, but it
will not help with the bounces or the filter alerts.
* Too many domains have incorrectly configured mail filters that reply
with an alert to the (forged) sender's address when they find a worm.
That behaviour is just not acceptable - if fact, I urge everyone
receiving a message telling them (incorrectly) that they sent out a
worm to contact the domain sending out that alert and inform them
that their mail filters are incorrectly configured. My own standard
reply follows....feel free to use that for inspiration
---- start of reply ----
Your automated software just sent me the message below, where
you are basically accusing me of sending you a virus.
I must express my displeasure, and insist that you fix the
problem.
The virus in question forges the "From:" field. The sender can
be anyone, and even a cursory check of the envelope address
should reveal that the mail originated elsewhere.
Incorrectly accusing people of spreading viruses is not only
impolite - it could potentially be a legal problem - no, I am
not threatening to sue you for defamation, but someone else might.
My advice is to reconfigure your mail filter not to send alerts
to the "From:" address. If you do not, you should probably get
legal advice on your policy.
---- end of reply ----
--
Fridrik Skulason Frisk Software International phone: +354-540-7400
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg