I started noticing the worm spoofs this morning around 10AM. Doing some legwork seemed to reveal it as a Sobig variant, and about a half hour later the virus definition popped up in the AV scanner. Around the net, a lot of people are clarifying that this isn’t an “email worm,” but a “Windows worm,” which in some sense is true, however, while the worm only propagates through infected W32 machines, the spoofings/spoofed bounces affect (and highlight the problems) of the entire email system, and highlight the need to some sort of authN/dsig system.
Perhaps signed headers would be a simple way of solving the problem – it’d require some extra key servers, but you could implement this on a per-server basis, or even the user level (mta level would be better, it would save bandwidth and allow realms of trust), and is completely backwards compatible…
(While perhaps resource intensive, it would certainly create a trusted path, and could be done completely voluntarily (ie, deployed when the cost of sifting/sending bad emails outweighs the cost of the decrypting the signatures of each message).
todo: look up proposals for various systems/frameworks that can verify paths, senders, recipients, but still maintain some semblance of privacy or anonymity