spf-discuss
[Top] [All Lists]

Re: My first valid spf rejection

2004-02-03 07:43:37
begin  Tuesday 03 February 2004 15:25, Christophe Saout quote:
Am Di, den 03.02.2004 schrieb Alain Knaff um 15:11:
* MyDoom is currently forging my e-mail address, but unfortunately
none of these forgeries have been caught (i.e. none of the third party
ISPs that the forgeries were sent to implement SPF yet), and the only
way I became aware of them is the bounces.

When MyDoom is sending mail it tries to use the same domain as sender it
is trying to send mails to. The SPF checker kicks in a lot here.

In my case, the virus infected host was a P&T Luxembourg customer
(pt.lu). It was using a from: address in my domain (knaff.lu, which
has an exists: tracker, and a -all).
The recipients were brian(_at_)gepa(_dot_)org, 
brent(_at_)ci(_dot_)educ(_dot_)lu,
jim(_at_)saint-paul(_dot_)lu and mary(_at_)yahoogroups(_dot_)com

Some of them (mary(_at_)yahoogroups(_dot_)com, jum(_at_)saint-paul(_dot_)lu) 
were sent
through P&T's MTA, whereas others were sent direct to MX (but bounced
because recipient domain used a cascade of several MTA's)

So, in this case, sender and receiver domain were different, although,
oddly enough, close geographically (2 of the 4 recipients were
Luxembourgish addresses).

But I suspect that the reason for this is because the virus uses the
personal addressbook of the victim to get its targets.


I also got rejections from other domains but only very few. If there are
domains that use ~all or ?all like they should they don't get blocked
anyway. I don't track these at the moment.

I activated -all for my domain because my familiy are the only users and
I'de like to see how things work out. If someone rejects my mail because
it was sent over a forwarding mail service, it's my problem. :)


Same for me: I've got -all too (the knaff.lu domain is a domain only
used by my family and myself. My other domains (which have more users)
do have the more cautious "~all").

I've also got a tracker, but it didn't register anything.

Regards,

Alain

-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your 
subscription, 
please go to 
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±€Ö€Íµø?¡


<Prev in Thread] Current Thread [Next in Thread>