ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Asrg] "worm spam" and SPF

2004-11-26 20:33:12
from [Vipul Ved Prakash] [Permanent Link] 
The worm attack on authentication schemes is a particularly bad one. I have 
recently joined the list, so I apologize if this has been discussed previously. 
But consider the following scenario: A new worm come out that uses infected 
machine's designated servers to send out mail.  Say these mail servers have a 
SPF or DK record and further they enjoy good reputations on the various 
reputation services (since they mostly send out good mail). The recipient 
machines do a SPF/DK check, it passes, they lookup the reputation, which checks 
out too, and deliver the mail bypassing all content-based filtration 
sub-systems. The recipient systems get infected.  The smarter users start 
reporting the worm to reputation services, who in turn punish the senders. 
After a while the senders reputation drops so much that they are unable to send 
out legit mail. 

This is bit of an extreme scenario, but a plausable one. Once it happens, 
spammers will adopt it and change the payload (worm + spam). 

cheers,
vipul

-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org on behalf of Gadi Evron
Sent: Fri 11/26/2004 7:00 PM
To: Fridrik Skulason
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] "worm spam" and SPGF
 

As everyone probably knows, there is a pretty large outbreak going on 
right now. According to our mail filters at http://aves.f-prot.com,
10.56% of all filtered E-mail contains W32/Sober(_dot_)J(_at_)mm(_dot_)  In 
addition,
there is a significant number of bounces as well.  


We've reached 1.5 GB an hour of this s**t since Tuesday. Only our AV 
calls it Sober(_dot_)I(_at_)mm(_dot_)

I agree, bounces are the very evil of the net itself.

Where I'd have to disagree is here:


* Doing SPF checking will block the vast majority of the worms, but it
  will not help with the bounces or the filter alerts.


It may block the vast majority of current worms, but I doubt it would 
stop the tide for long.
VX-ers will find other ways of abusing infected victims.. they might 
even send out email using the user's own email account and/or email client.

As long as there are huge drone armies out there, and their likes - I 
don't see how spam solutions today would really work as people hope. 
They will help reduce the numbers by a 0 or two though (if widely 
implemented in a reasonable period of time). I may actually get hundreds 
instead of thousands of spam messages a day.

        Gadi.

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] "worm spam" and SPF, Gadi Evron
Next by Date:  Re: [Asrg] "worm spam" and SPF, Bill Cole
Previous by Thread:  Re: [Asrg] Re: "worm spam" and SPF, Peter J. Holzer
Next by Thread:  Re: [Asrg] "worm spam" and SPF, Gadi Evron
Indexes:  [Date] [Thread] [Top] [All Lists]