[Mimedefang] Best method of dealing with automatic - propagationvirus mails

Edward Wildgoose Edward.Wildgoose at FRMHedge.com
Tue Oct 29 10:22:01 EST 2002 

Hi Les,

I don't want to go overboard on this, but I think your argument is flawed.

I hope that I'm not missing your point, but here is what I think you are saying and why I think you are wrong:  Please bear in mind that throughout this my core point is that we would like big ISP's to do at least a tiny basic scanning service to remove even the top 3 virus's in the wild and block them.

1) You make the connecting machine responsible for the bounce, so nothing is different that you yourself bouncing.

I disagree because the chain of SMTP servers is finite.  The point is that you are probably number 2 in the chain, in which case you bounce to "big ISP", who should have stopped them in the first place, or you are number one in which case you are killing the raw SMTP connection from the virus.

2) Bouncing mail to an incorrect address infects someone new.  

Well perhaps, but remember that the typical virus has the whole address book to hand and emails TO every address, substituting random address as the FROM.  So if the FROM clause was random then everyone would be on two emails, once as the recipient and once as the FROM.  

Now on the scales of getting people suspicious I have observed a couple of people who got the latest virus and didn't notice, but when they started getting the bounce messages (incorrectly), saying message refused because there was a virus they got suspicious and bought a virus scanner.  

So I claim that a bounce message at least gets people's attention.

3) We miss a virus and the next MX spots it and bounces it...  

So what, it's just a bounce.  The recipient receives it, blames us (incorrectly) and we decide that we better get a better virus scanner because it's cheaper than dealing with the complaints.  The world becomes a better place.

I beleive that most MTA's drop a bounce which has bounced.  No mailloops should develop.


I really don't see that it is any more complicated than this.  I personally would love to just accept the virus and drop it quietly, but this is unethical (see other email).  You should NEVER quietly discard email and not tell someone.  See my "Big CEO" example for why.  So the next best thing would be for us all to just reject connections that we don't like and if enough people do it then eventually we are rejecting the connection at source (this has got to be a clue to the poor infected soul if they can't click send/recv without getting an error message from their ISP which says "Sorry you are infected with a virus you may not send email...", and the stuff never gets out in the first place.

The great thing about the reject idea is that those who don't do it bear a greater email burden and so the incentive is to join the gang and install a virus scanner.  This is the whole point, lets get ISP's to scan email for viruses (and spam also would be nice...)

Ed W

-----Original Message-----
From: Les Mikesell [mailto:les at futuresource.com]
Sent: 29 October 2002 13:53
To: mimedefang at lists.roaringpenguin.com
Subject: Re: [Mimedefang] Best method of dealing with automatic -
propagationvirus mails 


>From: "Edward Wildgoose" <Edward.Wildgoose at frmhedge.com>
To: <mimedefang at lists.roaringpenguin.com>
Sent: Tuesday, October 29, 2002 3:31 AM
Subject: RE: [Mimedefang] Best method of dealing with automatic -
propagationvirus mails


> If you kill the connection with a 5xx response then the sender should NOT
keep retrying!!
> If they do - mail the admin and refuse to accept mail from this IP address!!

That is true, but you've just made the connecting machine responsible for
delivering a bounce as directly as if you did it yourself.

> I don't see your point about mail loops, but it is good thinking though.  In
any
> case if a mail loop develops it will be the upstream ISP that has the problem
not us.

Mail doesn't have an up/down direction.  If people follow this recommendation
you will eventually try to deliver mail to someone with a different virus
scanner
than yours that detects something you missed or has a false positive.

> Consider an example:
> V1 - virus infected sends message via ISP to "ME", I REJECT, ISP tries to
Bounce
> to INNOCENT who has a virus scanner.  The Bounce is then bounced back to
> postmaster at ISP (I think?).  I think that postmaster at ISP will then eat the
second
> bounce, but either way I don't think a mail loop will develop.

Now look at the reverse example where the next hop rejects a message you
try to send - and remember why you don't just bounce virus emails on your
own.

> Point is that upstream ISP now has 3 times as much mail and it is in their
interest to do
> something about it.  Plus they will get complaints from innocent customers
who report
> that postmaster at ISP has just sent them a virus...

More likely, the recipient won't know that they have just been infected and
their
machine will quietly propagate the virus to hundreds of new destinations.  It
is much better for the rest of the world if you accept and remove the virus,
especially
with the current ones that use a random sender from other email that you have
received.

The one exception that might make sense is if you know that you are accepting
the virus message directly from the originating machine and you know the
machine won't attempt a bounce (i.e. it doesn't run a real mail transport).
I'm
not sure you can detect this reliably from the lack of Received: headers but
the IP address might work for LANs.

---
  Les Mikesell
     les at futuresource.com


_______________________________________________
MIMEDefang mailing list
MIMEDefang at lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list