"Vipul Ved Prakash" <vipul(_at_)cloudmark(_dot_)com> wrote:
[some MIME cruft elided]
But consider the following scenario: A new worm come out that uses
infected machine's designated servers to send out mail. Say these
mail servers have a SPF or DK record and further they enjoy good =
reputations on the various reputation services (since they mostly
send out good mail). The recipient machines do a SPF/DK check, it
passes, they lookup the reputation, which checks out too, and
deliver the mail bypassing all content-based filtration
sub-systems. The recipient systems get infected. The smarter
users start reporting the worm to reputation services, who in turn
punish the senders. After a while the senders reputation drops so
much that they are unable to send out legit mail.
Therefore, an ISP (or other sender) that wishes to retain a good
reputation will set its outgoing mailservers to check for the latest
worms fairly soon after they're discovered, and throttle mail from any
particular sender so not too many worms get out before they're learned
about.
Seth
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg