[clug] Interesting MyDoom bounce

Peter Barker pbarker at barker.dropbear.id.au
Fri Jan 30 23:28:41 GMT 2004


On Fri, 30 Jan 2004, Tim Potter wrote:

> Unfortunately being technically correct in this situation just makes
> the problem worse.  As Martin said there is no situation where an error
> given back to the user gives any useful information and most (all?)
> mailers will just pass the bounce back to the hapless forgee.

I don't think anybody has mentioned Sender Permitted From and related
protocols.

The majority of forged addresses on MyDoom messages I saw were from AOL -
and they support SPF.

--
pbarker at milligan:~$ host -t txt aol.com
aol.com text "v=spf1 ip4:152.163.225.0/24 ip4:205.188.139.0/24
ip4:205.188.144.0/24 ip4:205.188.156.0/24 ip4:205.188.157.0/24
ip4:205.188.159.0/24 ip4:64.12.136.0/24 ip4:64.12.137.0/24
ip4:64.12.138.0/24 ptr:mx.aol.com ?all"
pbarker at milligan:~$
--

Will probably also catch some spam.

I haven't looked at these dns-based protocols in depth yet.

I'd like to see one where you could ask "can <thisip> IP address send mail
from <thisemailaddress> IP address" where <this> is who is currently
connected to your MTA and <thisemailaddress> is what's mentioned in the
envelope. That way ISP's could allow dial-up users to send from their own
IP address, and roving users could not only do the relay-after-popping
trick but also send-mail-from-here-after-popping. Naturally this
information changes quickly (relative to the SPF information), so DNS is
probably not a good distribution mechanism. Though DNS could supply
information about how to go about making that request.

I think we'll be honouring SPF in the near future for our stuff. If it
blocks the forged-from-aol (which is being sent from not-in-aol) it is
probably worth it just for that. We pay for inbound traffic.

Now why is this relevant? There seem to be two camps here - the people who
want to strictly follow protocols and those who want to take a more
practical approach to email. IOW, those that would determine a message is
a virus and 550 (or similar) and those that would 250 and then drop the
virus on the floor (so that any intermiediate relay will not send a
bounce).

I should probably cop to being in the "practical" camp more than the
"strictly following protocol" camp. This might be because I've been
working around browser rendering bugs for the last <too many> years.

I'm curious to know what the "practical" people think of schemes like SPF.
If I can 550 at the "MAIL FROM" step on the basis that e.g. AOL is telling
me that the message is completely bogus, then a bounce may be sent by the
intermediate relay. We pay by the byte to receive this stuff. If we 550 in
the headers, we don't get that traffic and some poor soul in charge of a
forged-from-address gets a bogus bounce. Do I try to explain to my boss
that we have to accept-and-drop that virus email for the good of the 'net
at large?

> Tim.

Yours,
-- 
Peter Barker                          |   N    _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek              | W + E /     /\
pbarker at barker.dropbear.id.au         |   S   \_,--?_*<-- Canberra
You need a bigger hammer.             |             v    [35S, 149E]
"They'll need a whole new Orwellian pseudo-crime-name for that... I
 suggest "digital molestation of kittens". -  Jeremi (14640) from Slashdot





More information about the linux mailing list