[Mimedefang] Best method of dealing with automatic - propagationvirus mails

Edward Wildgoose Edward.Wildgoose at FRMHedge.com
Mon Oct 28 10:29:00 EST 2002 

I understand your your point, and I was paraphrasing my argument slightly.

The point is that by dropping the connection it becomes the relay server's responsibility to bounce the message.  The whole point is once you have accepted it you have this difficult (morally that is) choice on whether to drop quietly or with warnings, etc, etc.

By rejecting the connection we are in the slightly morally hazerdous position of being reasonably sure that the upstream ISP is likely to do something foolish, but at least it is their problem, not ours.  

The point is that the world should change.  Annoyed users should write to big ISP's in their droves asking why ISP-A has basically just sent them a virus.  The man in the street can't see through all this to understand that it isn't really the ISP's fault, but the cheapest option for the ISP should be to stop relaying virus's in the first place.

If ISP's stop relaying high profile virus's then the whole virus landscape is likely to change (probably not go away, just evolve).  But it should be a win all round.  To be honest it is not as though virus scanning for the 5 most prevelant things around is hard!  A simple body check against a regexp should do it, no need for even a clamd scanner, let alone a paid for virus engine and extra hardware. (I know this is a slight simplification of the truth).

The ultimate goal would be for the source ISP to stop virus's entering the SMTP system in the first place.  Once they start rejecting then it should become much harder to write a virus engine which sends stuff out by SMTP.  At the very least the SMTP engine will need to start doing MX lookups to deliver directly, and an ISP can log any IP doing a large number of MX lookups on their own DNS servers, etc.

Conclusion:
I think this would be a very useful first step, but I agree that some poor users will receive a virus bounce accidently.  However, they were quite likely to receive a copy of the virus via the sender anyway, so I don't think that we are exposing anyone to anything new (remember that this user was as likely to be in the TO as the FROM line!)

-----Original Message-----
From: Martin Bene [mailto:martin.bene at icomedias.com]
Sent: 28 October 2002 14:27
To: mimedefang at lists.roaringpenguin.com
Subject: AW: [Mimedefang] Best method of dealing with automatic -
propagationvirus mails


Hi Edward,

> I really think that the only thing worth doing with Viruses 
> these days is to reject, ie DROP the SMTP connection before 
> accepting the message (if possible).  Otherwise accept the 
> message, then drop it into quarantine and ONLY notify the recipient.

At the mimedefang level, this would equate to action_reject, i.e refuse
accepting the message with a permanent smtp error code.

I also thought this to be great idea until I read the previous mail: 
	* sender address is false
	* envelope sender address is false as well

If we're not talking to the original infected machine but to a relaying
mailserver (without virus scanner), bad things happen if we reject the mail:

the relaying server will return the message including the virus to the faked
from address, thus possibly infecting someone else (instead of the intended
recipient).

This means that the only safe thing to do is to actually accept the message. 

Depending on virus / type of virus, further actions are possible:
	automatic propagation: silent drop.
	infected "real" file: notify recipient and sender

even if we're talking to the original infected machine, an SMTP bounce
possibly won't do any good: if the virus uses its own SMTP implementation,
the user won't ever see the SMTP error messages, and the virus might go on to
another mailserver.

> Also, by dropping the SMTP level connection you force the 
> problem slowly up the tree and possibly eventually to the 
> sending machine itself (if ISP's start to do this).  This 
> should also hopefully make it easier for the user to spot the 
> virus problem in the first place!

As written above, I don't think this actually works- accepting on the smtp
level and silently droping these mails seems to be the safest way of dealing
with them.

Bye, Martin

_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list