[68982] in North American Network Operators' Group
Re: SPAM and Virus emails to NANOG
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Fri Mar 19 17:22:39 2004
To: Jared Mauch <jared@puck.nether.net>
Cc: George William Herbert <gherbert@retro.com>, greg@xwb.com,
nanog@merit.edu
In-Reply-To: Your message of "Fri, 19 Mar 2004 17:10:21 EST."
<20040319221021.GA65491@puck.nether.net>
From: Valdis.Kletnieks@vt.edu
Date: Fri, 19 Mar 2004 17:22:01 -0500
Errors-To: owner-nanog-outgoing@merit.edu
--==_Exmh_-798676945P
Content-Type: text/plain; charset=us-ascii
On Fri, 19 Mar 2004 17:10:21 EST, Jared Mauch said:
> These spoofed virii/worm/whatnot emails can be
> somewhat prevented in a few cases by the utilization of SPF
Note that this isn't a totally foolproof method. We have a large (50K+)
subscriber list that's flagged as "post by list manager only" - and one of the
address-scraping worms managed to get the list name into the To: and the
manager's name into the From:. Multiple times. Like 50+. (Overlooking the
multiple hundreds that got trapped because they managed to get the list in the
To: but address scraped a From: that wasn't allowed through).
Of course, locality-of-reference being what it is, the (un)lucky machine
happened to be actually at our site, so SPF wouldn't have done anything to stop
it. Remember that if foo.com is a large corporation (as opposed to an open
ISP), most address scrapers will get luckiest at getting 'foo.com' into both
the From: and To: headers if they manage to whack a machine that's actually a
legitimate foo.com box.
--==_Exmh_-798676945P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAW3KJcC3lWbTT17ARAqb5AJ94fgeuQGZip+4jxWVszy+FESRRQgCg2+Jt
bGZMKaTTlcHOtQUorFBSuZY=
=J9eE
-----END PGP SIGNATURE-----
--==_Exmh_-798676945P--
