spf-discuss
[Top] [All Lists]

RE: SPF and viruses

2004-01-30 07:34:54
Fridrik Skulason [mailto:frisk(_at_)f-prot(_dot_)com] wrote:
Then if someone forges mail from their own IP address:

  o The spf tests for mail froms of "user(_at_)example(_dot_)com" return 
FAIL.

But this would not give any additional benefits to the worm writers.
What is most likely that they would do (assuming that SPF or something
like that becomes widely used) is just to determine that the computer
belongs to example.com, and just forge the user's name - sending out
mail from bill(_at_)example(_dot_)com, bob(_at_)example(_dot_)com, 
joe(_at_)example(_dot_)com and so on.

This is really irrelevant to SPF as such - there is nothing it can do 
to prevent this, but I am just pointing this out as the most likely 
reaction by the worm authors.

Yes, in fact SPF does prevent this!  The worm could attempt to send mail out
as bill, bob or joe(_at_)example(_dot_)com and when the receiving MTA did its 
own SPF
check, it would see that the computer that was spreading the worm was not
authorized to send email on behalf of example.com.  Example.com is not going
to set up an SPF record that allows every one of their users computers to
send email on their domain's behalf....

Marc

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>