spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: "worm spam" and SPF

2004-11-26 04:27:37
from [David Woodhouse] [Permanent Link] 
On Fri, 2004-11-26 at 11:13 +0000, Fridrik Skulason wrote:

* Too many domains have incorrectly configured mail filters that reply
  with an alert to the (forged) sender's address when they find a worm.
  That behaviour is just not acceptable - if fact, I urge everyone
  receiving a message telling them (incorrectly) that they sent out a
  worm to contact the domain sending out that alert and inform them
  that their mail filters are incorrectly configured.  My own standard
  reply follows....feel free to use that for inspiration


A good idea. Personally I used to word it more strongly. The people
sending these 'bounces' are _knowingly_ spamming an innocent third
party. That means I always used to Cc the abuse contact at their network
provider too. 

Thankfully, most of these do seem to be actually sending bounces (i.e.
MAIL FROM:<>) rather than messages with a reverse-path of their own, so
in fact I had hardly noticed the latest outbreak, because of course I
don't get bounces to mail I didn't send any more.



      ---- start of reply ----

      Your automated software just sent me the message below, where
      you are basically accusing me of sending you a virus.

      I must express my displeasure, and insist that you fix the
      problem.

      The virus in question forges the "From:" field.  The sender can
      be anyone, and even a cursory check of the envelope address
      should reveal that the mail originated elsewhere.


Lots of them also forge the reverse-path too. This statement isn't
universally true. They shouldn't be bouncing the mail at all. You also
don't mention the alternative solution -- which is to reject the mail at
SMTP time instead of accepting it in the first place. Accepting it and
then deleting it when you decide you don't like it is generally bad. It
makes the system unreliable.


      Incorrectly accusing people of spreading viruses is not only
      impolite - it could potentially be a legal problem - no, I am
      not threatening to sue you for defamation, but someone else might.

      My advice is to reconfigure your mail filter not to send alerts
      to the "From:" address.  If you do not, you should probably get
      legal advice on your policy.

      ---- end of reply ----



-- 
dwmw2
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  My notes from FTC Summit with statistics (was: Sendmail white paper), william(at)elan.net
Next by Date:  Re[2]: URGENT: Community Position on SenderID, Peter Snow
Previous by Thread:  "worm spam" and SPF, Fridrik Skulason
Next by Thread:  Re: "worm spam" and SPF, Alex van den Bogaerdt
Indexes:  [Date] [Thread] [Top] [All Lists]