The worm attack on authentication schemes is a particularly bad one. I have
recently joined the list, so I apologize if this has been discussed previously.
But consider the following scenario: A new worm come out that uses infected
machine's designated servers to send out mail. Say these mail servers have a
SPF or DK record and further they enjoy good reputations on the various
reputation services (since they mostly send out good mail). The recipient
machines do a SPF/DK check, it passes, they lookup the reputation, which checks
out too, and deliver the mail bypassing all content-based filtration
sub-systems. The recipient systems get infected. The smarter users start
reporting the worm to reputation services, who in turn punish the senders.
After a while the senders reputation drops so much that they are unable to send
out legit mail.
This is bit of an extreme scenario, but a plausable one. Once it happens,
spammers will adopt it and change the payload (worm + spam).
cheers,
vipul
-----Original Message-----
From: asrg-bounces(_at_)ietf(_dot_)org on behalf of Gadi Evron
Sent: Fri 11/26/2004 7:00 PM
To: Fridrik Skulason
Cc: asrg(_at_)ietf(_dot_)org
Subject: Re: [Asrg] "worm spam" and SPGF
As everyone probably knows, there is a pretty large outbreak going on
right now. According to our mail filters at http://aves.f-prot.com,
10.56% of all filtered E-mail contains W32/Sober(_dot_)J(_at_)mm(_dot_) In
addition,
there is a significant number of bounces as well.
We've reached 1.5 GB an hour of this s**t since Tuesday. Only our AV
calls it Sober(_dot_)I(_at_)mm(_dot_)
I agree, bounces are the very evil of the net itself.
Where I'd have to disagree is here:
* Doing SPF checking will block the vast majority of the worms, but it
will not help with the bounces or the filter alerts.
It may block the vast majority of current worms, but I doubt it would
stop the tide for long.
VX-ers will find other ways of abusing infected victims.. they might
even send out email using the user's own email account and/or email client.
As long as there are huge drone armies out there, and their likes - I
don't see how spam solutions today would really work as people hope.
They will help reduce the numbers by a 0 or two though (if widely
implemented in a reasonable period of time). I may actually get hundreds
instead of thousands of spam messages a day.
Gadi.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg