-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of David
Sent: April 13, 2004 3:31 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: Re: [spf-discuss] first spf-enabled spam
that's what we were doing, but we relized that there is
people publishing spf records that allow a entire hackeable
dsl/cable zone to send mail from a given domain, regardless
of the real existence of a real mailer in such this computers.
And if said cable ISP allows only their own servers in the
SPF record,
then someone can hack those DSL/cable computers, and then
connect from
there to the ISP's SMTP server and still spoof the cable
ISP's domain.
well, it's suposed that the isp own servers require at least
smtp auth and by now i never seen any spam comming from a
hacked computer that used smtp auth.
No way to
avoid that unless the ISP requires SMTP AUTH (which is rare),
rare ? well, here in spain what is rare is that any isp does
not use smpt auth.
Perhaps you should come to North America, then. I've only heard of ONE ISP
requiring SMTP AUTH from its subscribers, and that ISP requires it only to
relay mail that doesn't have a from @theirdomain.com. It's a setup that was
put in after @Home died (so a brand new mail infrastructure less than three
years ago), and I think they tried requiring SMTP AUTH for a week or two and
had ALL kinds of trouble with older MUAs, so they gave up.
With the ISPs I've done business with (including commercial ISPs, small and
large, and educational institutions), the old "relay mail from your local
netblock" without authentication model is VERY much alive.
and even then,
a clever hacker could probably obtain the hacked person's
login info
somehow...
i think it's not possible for a virus to get the
username/password from the hacked computer.
It used not to be possible to get a virus from clicking on an email,
either...