spf-discuss
[Top] [All Lists]

RE: SPF and viruses

2004-01-30 11:34:39
Fridrik Skulason wrote:
Actually, whether it does depends on how the worm sends out mail.  A
worm may have its own SMTP "engine", and send the mail directly. 
However, the worm can also attempt to send out the mail just as if
the "real" user of the machine was sending the mail, by connecting to
the mail server (POP, IMAP ir whatever) and in that case the mail
would be indistinguishable from regular mail from that domain as far
as SPF is concerned. 

In the first case SPF would indeed work just fine - sure, the machine
belongs to the right domain, but it is not authorized to send mail

In the second case SPF will not help.

In the second case, could the ISP not do something similar to what Meng
is doing for pobox.com with a per-user policy?  Using dynamic DNS, when
a specific user receives a network address, they could add a specific
SPF policy stating that this user may send as user(_at_)ISP from the network
address they just received, then use internal SPF checking on their
outbound mail servers to block it sending as any other envelope?  If I
recall, SPF was designed to be this flexible, but I haven't been keeping
up on the macros to give you an example.  Meng, would this be possible?

---
Dustin D. Trammell
Vulnerability Remediation Alchemist
Citadel Security Software, Inc.

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)½§Åv¼ð¦¾Øß´ëù1Ií-»Fqx(_dot_)com


<Prev in Thread] Current Thread [Next in Thread>