Dean Anderson <dean(_at_)av8(_dot_)com> wrote:
In the case of SPF, all the virus operator has to do to continue forging
email is to have the virus upgrade itself to use the infected domain's
relays using the user's stored email configuration or just by guessing, or
better, by using the SPF records. After that, they forge away.
One huge benefit to viruses by forging is that millions of user
machines, with fast network connections, who aren't normally MTA's,
can suddenly all attack other peoples MTA's. Like may people, I've
had MTA's severely hit by a new virus load, due to precisely the above
problem.
If the viruses have to use the infected domains MTA to propogate, I
think that's a great thing. Their MTA will probably die, won't
distribute as many viruses, and therefore my MTA won't die.
Viruses can, of course, get around this by using "open" SPF records,
or records from an "evil" domain associated with the virus. But both
of those situations involve a single point of attack: the DNS for the
domain. Shut that down, and there's no longer any SPF records, and
we're back to where we are today with viruses & forgery.
So in one situation, we'll be better off. In another, we'll be
worse off, due to the cost of deploying a protocol that doesn't help
for that situation.
It's up to individual MTA administrators to do the cost/benefit
analysis for the two situations, to see if it's worth it for them to
deploy a particular solution.
Alan DeKok.