[Asrg] "worm spam" and SPF
Fridrik Skulason <frisk@f-prot.com> Fri, 26 November 2004 15:38 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA19455 for <asrg-web-archive@ietf.org>; Fri, 26 Nov 2004 10:38:52 -0500 (EST)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CXiFl-0003zb-GH for asrg-web-archive@ietf.org; Fri, 26 Nov 2004 10:43:21 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CXi44-0007It-7m; Fri, 26 Nov 2004 10:31:16 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CXhnR-0005C2-FN for asrg@megatron.ietf.org; Fri, 26 Nov 2004 10:14:05 -0500
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id GAA27985 for <asrg@ietf.org>; Fri, 26 Nov 2004 06:10:44 -0500 (EST)
Received: from guttormur.frisk-software.com ([213.220.100.9]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CXe4F-0005uK-La for asrg@ietf.org; Fri, 26 Nov 2004 06:15:12 -0500
Received: by guttormur.frisk-software.com (Postfix, from userid 517) id 7948C3816A; Fri, 26 Nov 2004 11:10:00 +0000 (GMT)
Received: from pc28.frisk-software.com. (pc28.frisk-software.com [172.16.5.2]) by guttormur.frisk-software.com (Postfix) with ESMTP id 296B4381BF for <asrg@ietf.org>; Fri, 26 Nov 2004 11:10:00 +0000 (GMT)
Received: by pc28.frisk-software.com. (8.11.6/client-1.3) id iAQBA0F19457; Fri, 26 Nov 2004 11:10:00 GMT
Date: Fri, 26 Nov 2004 11:10:00 +0000
From: Fridrik Skulason <frisk@f-prot.com>
To: asrg@ietf.org
Message-ID: <20041126111000.GU31887@f-prot.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
User-Agent: Mutt/1.4.2i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Subject: [Asrg] "worm spam" and SPF
X-BeenThere: asrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Anti-Spam Research Group - IRTF <asrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/asrg>
List-Post: <mailto:asrg@ietf.org>
List-Help: <mailto:asrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/asrg>, <mailto:asrg-request@ietf.org?subject=subscribe>
Sender: asrg-bounces@ietf.org
Errors-To: asrg-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 32b73d73e8047ed17386f9799119ce43
My own definition of "spam" is pretty broad, not just UCE, but pretty much any unwanted crap in my mailbox. In particular that includes worms as well as worm-generated bounces and other mail directly or indirectly created as a result of computer worm activity. As everyone probably knows, there is a pretty large outbreak going on right now. According to our mail filters at http://aves.f-prot.com, 10.56% of all filtered E-mail contains W32/Sober.J@mm. In addition, there is a significant number of bounces as well. According to my definition that is "spam" - and even those who prefer a more narrow definition should at least agree that this is unsolicited and unwanted. I have said before that universal adoption of SPF would kill off the current generation of worms (and that includes Sober.J) - however, there are a few points worth noting. * We (f-prot.com) published a SPF record, with -all. I am not going discuss the possible problems with that policy, but we did evaluate the advantages and disadvantages. Hopefully someone has rejected some worms based on that policy - however, we are getting plenty of "bounces" from domains that obviously have not implemented SPF checking. * Some of the domains that send us those bounces have published SPF records, which indicates they are aware of SPF, but for one reason or another they have decided not to implement SPF checking, so they continue to cause problems for everyone else with those bounces. * In fact, it is irrelevant how many domains publish SPF records. Even if every single domain had a record with "-all", it would not help one bit with the bounces. The reason is of course that what really matters is the number of domains that actually check SPF records and reject and drop mails that fail. * Even worse are the domains that do not bounce the message, but analyze it and reply with a message like "MDaemon Warning - virus found". Sending such messages is completely unacceptable behaviour. Most "current generation" worms forge the sender's address, and a mail filter that replies to the "From:" line with a warning of this kind is worse than useless - it is a part of the problem, not a part of the solution as it is generating spam (under my own broad definition of "spam", as mentioned earlier). So, the bottom line regarding worm-spam and SPF is: * Publishing SPF records may reduce the number of worm bounce messages, but that depends on the number of other domains checking the records. * Doing SPF checking will block the vast majority of the worms, but it will not help with the bounces or the filter alerts. * Too many domains have incorrectly configured mail filters that reply with an alert to the (forged) sender's address when they find a worm. That behaviour is just not acceptable - if fact, I urge everyone receiving a message telling them (incorrectly) that they sent out a worm to contact the domain sending out that alert and inform them that their mail filters are incorrectly configured. My own standard reply follows....feel free to use that for inspiration ---- start of reply ---- Your automated software just sent me the message below, where you are basically accusing me of sending you a virus. I must express my displeasure, and insist that you fix the problem. The virus in question forges the "From:" field. The sender can be anyone, and even a cursory check of the envelope address should reveal that the mail originated elsewhere. Incorrectly accusing people of spreading viruses is not only impolite - it could potentially be a legal problem - no, I am not threatening to sue you for defamation, but someone else might. My advice is to reconfigure your mail filter not to send alerts to the "From:" address. If you do not, you should probably get legal advice on your policy. ---- end of reply ---- -- Fridrik Skulason Frisk Software International phone: +354-540-7400 _______________________________________________ Asrg mailing list Asrg@ietf.org https://www1.ietf.org/mailman/listinfo/asrg
- [Asrg] "worm spam" and SPF Fridrik Skulason
- Re: [Asrg] "worm spam" and SPF Gadi Evron
- RE: [Asrg] "worm spam" and SPF Vipul Ved Prakash
- Re: [Asrg] "worm spam" and SPF Bill Cole
- Re: [Asrg] "worm spam" and SPF Seth Breidbart
- Re: [Asrg] "worm spam" and SPF Gadi Evron
- Re: [Asrg] "worm spam" and SPF Seth Breidbart
- RE: [Asrg] "worm spam" and SPF Vipul Ved Prakash
- Re: [Asrg] "worm spam" and SPF Gadi Evron
- Re: [Asrg] "worm spam" and SPF Gadi Evron
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- Re: [Asrg] "worm spam" and SPF Peter J. Holzer
- Re: [Asrg] "worm spam" and SPF Daniel Feenberg
- Re: [Asrg] "worm spam" and SPF Gadi Evron
- RE: [Asrg] "worm spam" and SPF Bruce Brown
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- Re: [Asrg] Re: "worm spam" and SPF Peter J. Holzer
- Re: [Asrg] "worm spam" and SPF Bill Cole
- Re: [Asrg] "worm spam" and SPF gep2
- RE: [Asrg] "worm spam" and SPF gep2
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- Re: [Asrg] "worm spam" and SPF der Mouse
- Re: [Asrg] "worm spam" and SPF Daniel Feenberg
- Re: [Asrg] "worm spam" and SPF Bill Cole
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF der Mouse
- Re: [Asrg] Re: "worm spam" and SPF der Mouse
- Re: [Asrg] "worm spam" and SPF gep2
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- [Asrg] Re: "worm spam" and SPF Frank Ellermann
- [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF der Mouse
- Re: [Asrg] Re: "worm spam" and SPF aseem_jakhar
- Re: [Asrg] Re: "worm spam" and SPF Peter J. Holzer
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF Gadi Evron
- Re: [Asrg] "worm spam" and SPF Florian Weimer
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF Gadi Evron
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF Laird Breyer
- Re: [Asrg] Re: "worm spam" and SPF Bill Cole
- Re: [Asrg] Re: "worm spam" and SPF aseem_jakhar
- Re: [Asrg] Re: "worm spam" and SPF aseem_jakhar
- Re: [Asrg] Re: "worm spam" and SPF Matthew Elvey
- [Asrg] Disaster looming: SPF Matthew Elvey
- Re: [Asrg] "worm spam" and SPF Matthew Elvey
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF Peter J. Holzer
- Re: [Asrg] Re: "worm spam" and SPF gep2
- [Asrg] Re: Disaster looming: SPF Frank Ellermann
- Re: [Asrg] Re: "worm spam" and SPF Laird Breyer
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: Disaster looming: SPF Barry Shein
- Re: [Asrg] Re: Disaster looming: SPF Eric S. Raymond
- Re: [Asrg] Re: "worm spam" and SPF Laird Breyer
- [Asrg] Re: Disaster looming: SPF Stephane Bortzmeyer
- Re: [Asrg] Re: "worm spam" and SPF Matthew Elvey
- Re: [Asrg] Re: Disaster looming: SPF Barry Shein
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF gep2
- Re: [Asrg] Re: "worm spam" and SPF Laird Breyer
- Re: [Asrg] Re: Disaster looming: SPF Matthew Elvey
- [Asrg] Re: Disaster looming: SPF Frank Ellermann
- Re: [Asrg] Re: Disaster looming: SPF Devdas Bhagat
- Re: [Asrg] Re: "worm spam" and SPF gep2
- [Asrg] Re: Disaster looming: SPF Frank Ellermann
- Re: [Asrg] Re: "worm spam" and SPF Laird Breyer
- Re: [Asrg] Re: Disaster looming: SPF Devdas Bhagat
- Re: [Asrg] Re: Disaster looming: SPF Peter J. Holzer
- [Asrg] Re: Disaster looming: SPF Frank Ellermann