As everyone probably knows, there is a pretty large outbreak going on
right now. According to our mail filters at http://aves.f-prot.com,
10.56% of all filtered E-mail contains W32/Sober(_dot_)J(_at_)mm(_dot_) In
addition,
there is a significant number of bounces as well.
We've reached 1.5 GB an hour of this s**t since Tuesday. Only our AV
calls it Sober(_dot_)I(_at_)mm(_dot_)
I agree, bounces are the very evil of the net itself.
Bouncing "infected" mail makes NO sense.
Most of the time, the mail is bounced to a counterfeit/bogus "from" address
where it COMPOUNDS the damage done by the worm, either by mailbombing someone
who is THEMSELVES a victim, or at least their ISP. I've also had bounces go
back to Yahoogroups (a major mailer, to say the least) who then disables MY
E-mail address because "their" mail to me "hard bounced". :-((
A-V software, AT A MINIMUM, should NEVER bounced "infected" mail for cases
where
the recognized virus/worm in the mail being bounced is KNOWN to use counterfeit
From: addresses!
Where I'd have to disagree is here:
* Doing SPF checking will block the vast majority of the worms, but it
will not help with the bounces or the filter alerts.
It may block the vast majority of current worms, but I doubt it would
stop the tide for long. VX-ers will find other ways of abusing infected
victims.. they might even send out email using the user's own email account
and/or email client.
Absolutely, and that's precisely why SPF (like the other equally braindead
certification/identification schemes) is a non-solution for this problem.
Virus/worm authors can (literally overnight) shift to using the real E-mail
address belonging to the person whose machine they've infected, and just as
quickly all their worm/spam messages will fly through SPF (and similar)
domain-certification checks. :-( So we would have spent YEARS arguing over
and
maybe finally agreeing on and implementing something that literally overnight
is
rendered useless. (And you know, the spammers love to get the last laugh like
that, making everyone else look like the clueless idiots they are).
As long as there are huge drone armies out there, and their likes - I
don't see how spam solutions today would really work as people hope.
There is ONE solution that virtually eliminates the worm/virus problem. And
that is the simple, effective, fine-grained permissions list... where the
default is to (by default) not accept messages that: (1) are bigger than some
limited size (say 10K-25K), (2) contain attachments, and/or (3) contain HTML.
unless the trusted sender of those "enhanced" features has been approved to
send
those riskier/bulkier E-mail formats by the individual recipient.
There could be enhancements to make the grain finer, to discriminate based on
TYPE of attachments and classes of HTML tags.
For most recipients, their default protections (accept executable attachments
and HTML tags from NOBODY) would shield the recipient from virtually ALL e-mail
propagation of worms and viruses. It would also effectively prevent URL
spoofing, where the link that shows "confirm.citibank.com" actually links
unseen
to some site like "spoof.youmoron.ro" or the like.
We can sit and argue about SPF and other authentication approaches for days, or
weeks, or months, or even years, but the FACT of the matter is that until we
get
the virus/worm/zombie problem solved (and SPF does NOT do that), SPF (and ALL
of
its ilk) is damned near worthless.
Gordon Peterson http://personal.terabites.com/
1977-2002 Twenty-fifth anniversary year of Local Area Networking!
Support free and fair US elections! http://stickers.defend-democracy.org
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg