On Thu, Jan 29, 2004 at 12:37:28PM +0000, Wechsler wrote:
| MyDoom spoofs its sender addresses at least some of the time.
| It also sends through its own SMTP engine, rather than ISPs' servers.
|
| Both of these make it exactly the sort of virus against which SPF would
| be most effective.
|
| We can't knock them all out but we'd have slowed this one right down.
Overheard on RISKS:
http://catless.ncl.ac.uk/Risks/23.17.html
The volume of bounces and directs together makes clear that
MyDoom uses these made-up addresses both for From: and To: addresses.
It is worth noting that the vast majority of MyDoom traffic contains
spoofed From: and From_ (sender) information. Implementation of
something like Sender Permitted From (SPF) could have stopped most of
these in their tracks. MyDoom has effectively converted me into an SPF
evangelist - because if the history of worms has shown us anything, it's
that once a technique is shown to be useful to worms, it isn't RISK that
it will show up again - it is pretty much certain.
Anyone who argues that there are too many RISKs with something like SPF
will have to provide me with a good alternative.
Chris Smith Tue, 3 Feb 2004 02:12:49 -0500 (Eastern Standard Time)
-------
Sender Permitted From: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
Latest draft at http://spf.pobox.com/draft-mengwong-spf-02.9.5.txt
Wiki: http://spfwiki.infinitepenguins.net/pmwiki.php/SenderPermittedFrom/
To unsubscribe, change your address, or temporarily deactivate your
subscription,
please go to
http://v2.listbox.com/member/?listname(_at_)©#«Mo\¯HÝÜîU;±¤Ö¤Íµø?¡