I've started receiving email from zombies that had forged "Header FROM:" addresses (which is what the users see) and some had used
an "envelope MAIL FROM:" for a domain that was globally SPF PASS. I have also received some where the "envelope MAIL FROM:" was just
a domain with no SPF record. This means the zombies are beginning to render SPF less useful. Greylisting solved most of these as the
zombies don't queue and resend (yet).
Stuart D. Gathman wrote:
On Tue, 18 Oct 2005, Herb Martin wrote:
The obvious weak point of this system is zombies. Should any
of the whitelisted senders contract a zombie, it would be
possible for the zombie to crank out spam - and poison the
Dspam dictionary in the process. So far, this is not a
problem in practice because most zombies forge the sender
(and hence don't pass SPF). I'm not sure what the next step
is when zombie writers start using senders filched from the
local machine that get SPF pass and are likely whitelisted.
Greylisting will stop the vast majority of them.
No zombies currently get through because they forge MAIL FROM and
only SPF pass gets whitelisted. My concern is for future "improvements"
to zombie code - which could easily include a state machine to emulate
a mail retry queue as well as using a local SPF authorized MAIL FROM.
I'm sure spammers aren't just sitting on their laurels.
-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
To unsubscribe, change your address, or temporarily deactivate your subscription,
please go to http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com