Just a few comments from a different perspective. I am the developer
of anti-virus products, including mail filters. Considering that the
majority of mass-mailing worms forge the sender's address, I am of
course interested in the deploayment of any mechanism that will make
forging more difficult.
People are concentrating on the effect that any authentication mechanism
would have on spam, but the effects on worms would be considerable too.
If a mechanism like SPF was magically adopted worldwide overnight, it
would pretty much kill off existing worms that forge the sender's
address - Mydoom.A is of course the leading problem right now, but there
constant stream of samples of other worms, like Sober.C, Klez.H and
Dumaru.A - even the last "big" mail worm, Sobig.F is still around even
though it was supposed to stop working a while ago - there are obviously
some machines out there with an incorrect date setting.
The worm authors would of course attempt to get around this. The most
obvious way would be to determine the "real" domain name of the infected
computer, and use that, but make up a new first part of the name.
Creating a new worm to do that would not be hard, so we just expect
that to happen more and more frequently as authentication methods
become more common.
Most mass-distributed worms are sent from privately owned PCs with a
broadband or ADSL connection (corporate machines are generally better
protected). The owners of those machines generally don't have their
own domains, so the domain would generally be those of major ISPs.
The situation is similar as with that of "zombies" used to distribute
spam - it happens without the knowledge of the owner of the machines.
Moreover, it also happens without the knowledge of the owner of the
domain (the ISP). For that reason (unlike spam sent from domains
owned and operated by professional spammers) a "domain reputation" system
would not help. The only way is to get the ISPs to locate/inform/block
the PCs in question.
And this is the problem. Some ISPs seem incredibly reluctant to stop
worms spreading from machines owned by their users (whether that has
anything to do with the fact that some of them charge for the traffic is
a good question). Blocking the ISP as a whole will be problematic, as
at any given time obly a small number of the computers connecting to
the net through it are infected with a mass-mailing worm or operating as
spam zombies.
We expect this problem to become more widespread if an authentication
mechanism like SPF gets widely adopted, but given the obvious immediate
benefit such a mechanism would offer, it should be possible to enlist
the support of the anti-virus community behind SPF or any other similar
mechanism that has a chance of getting widely adopted.
--
Fridrik Skulason Frisk Software International phone: +354-540-7400
Author of F-PROT E-mail: frisk(_at_)f-prot(_dot_)com fax:
+354-540-7401
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#�«Mo\¯HÝÜîU;±¤Ö¤Íµø�?¡