[Mimedefang] Best method of dealing with automatic - propagationvirus mails

Les Mikesell les at futuresource.com
Tue Oct 29 08:53:01 EST 2002 

>From: "Edward Wildgoose" <Edward.Wildgoose at frmhedge.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, October 29, 2002 3:31 AM
Subject: RE: [Mimedefang] Best method of dealing with automatic -
propagationvirus mails


> If you kill the connection with a 5xx response then the sender should NOT
keep retrying!!
> If they do - mail the admin and refuse to accept mail from this IP address!!

That is true, but you've just made the connecting machine responsible for
delivering a bounce as directly as if you did it yourself.

> I don't see your point about mail loops, but it is good thinking though.  In
any
> case if a mail loop develops it will be the upstream ISP that has the problem
not us.

Mail doesn't have an up/down direction.  If people follow this recommendation
you will eventually try to deliver mail to someone with a different virus
scanner
than yours that detects something you missed or has a false positive.

> Consider an example:
> V1 - virus infected sends message via ISP to "ME", I REJECT, ISP tries to
Bounce
> to INNOCENT who has a virus scanner.  The Bounce is then bounced back to
> postmaster at ISP (I think?).  I think that postmaster at ISP will then eat the
second
> bounce, but either way I don't think a mail loop will develop.

Now look at the reverse example where the next hop rejects a message you
try to send - and remember why you don't just bounce virus emails on your
own.

> Point is that upstream ISP now has 3 times as much mail and it is in their
interest to do
> something about it.  Plus they will get complaints from innocent customers
who report
> that postmaster at ISP has just sent them a virus...

More likely, the recipient won't know that they have just been infected and
their
machine will quietly propagate the virus to hundreds of new destinations.  It
is much better for the rest of the world if you accept and remove the virus,
especially
with the current ones that use a random sender from other email that you have
received.

The one exception that might make sense is if you know that you are accepting
the virus message directly from the originating machine and you know the
machine won't attempt a bounce (i.e. it doesn't run a real mail transport).
I'm
not sure you can detect this reliably from the lack of Received: headers but
the IP address might work for LANs.

---
  Les Mikesell
     les at futuresource.com

More information about the MIMEDefang mailing list