...... Original Message .......
On Mon, 16 May 2005 22:39:19 +0200 Julian Mehnle <bulk(_at_)mehnle(_dot_)net>
wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stuart D. Gathman wrote:
We (and our customers) have been bombarded by a boatload of German spam.
One characteristic of this spam is that the (forged) MAIL FROM is always
a domain with an SPF record that returns NEUTRAL for the zombies IP. It
is as if the zombie program screens potential forged MAIL FROMs to
ensure that they have an SPF record and won't get a FAIL.
Obviously this isn't true. I keep getting lots of misdirected bounces
from
idiots who don't bother checking this German propaganda spam against my
SPF records, which only give "Pass" or "Fail" results.
But it's an interesting theory, as this may very well become a reality
with
another virm/spam run soon.
I already reject NEUTRAL for commonly forged domains (e.g. aol.com), but
this new attack may lead to rejecting NEUTRAL results across the board.
Domains whose policy gives "Neutral" results (like those without any
policy
at all) don't care enough about being abused. IOW, they are showing their
consent to be forged. In the grand scheme of things, that probably
shouldn't be reason enough to block them.
I think this ignores the many valid reasons for this:
1. Match mechanism for a shared-MTA that doesn't prevent cross-customer
forgery.
2. Domain is often forwarded via non-SRS forwarders to MTAs that don't
whitelist the forwarders.
3. Domain is often used to send from web services either not in
trusted-forwarder.org or to MTAs that don't whitelist the services.
4.....
snip.
Scott K