mailing list archives
RE: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky)
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Thu, 04 Mar 2004 20:59:30 +1300
"Bill Royds" <broyds () rogers com> wrote:
Using authenticated SMTP, this would still allow a different return
address in headers since envelope from would be user who authenticated to
SMTP server. But it would prevent spoofed email (although spam would still
arrive, it could be tied to actual sender, allowing things like CAN-SPAM to
Wrong. It would, at best, identify the sending _machine_, not the
There is far too much prior art in the Windows malware armory to not be
aware of how easily an agent program on a "compromised" Windows box can
steal whatever configuration and authentication data it may need to
"properly" send mail "just like" the user's preferred MUA. Just
because, of late, spam and mass-mailing viruses have used randomized
From: and SMTP envelope FROM addresses does not mean thay have to
continue to do so, nor that not doing so will necessarily be less
effective for them...
These are important considerations to not overlook despite the fact
that the SPF, etc pushers make a habit of ignoring such. Further,
several IRC bot-nets in tens-of-thousands of active bots size range
have already been found and there are probably several million such
compromised mnachiens out there waiting for the fateful order to "wake
up" and answer the call of their "master".
SMTP "sender authentication" is a far less trivial problem to solve
that the SPF, aller-ID, etc folk would have you believe (and, of
course, they don't like us pointing out that their preferred
"solutions" are already doomed to failure).
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
Full-Disclosure - We believe in it.
Re: E-mail spoofing countermeasures (Was: Backdoor not recognized by Kaspersky) Dave Horsfall (Mar 04)