[Mimedefang] Best method of dealing with automatic - propagationvirus mails

Les Mikesell les at futuresource.com
Tue Oct 29 11:22:01 EST 2002 

> From: Edward Wildgoose

> I hope that I'm not missing your point, but here is what
> I think you are saying and why I think you are wrong:  Please 
> bear in mind that throughout this my core point is that we
> would like big ISP's to do at least a tiny basic scanning 
> service to remove even the top 3 virus's in the wild and block them.

Size has nothing to do with this problem.  Mail transports are
all peers. If you think we should abuse certain parties to
force them to do what we want, we will just have to disagree.

> 1) You make the connecting machine responsible for the bounce,
> so nothing is different that you yourself bouncing.
> 
> I disagree because the chain of SMTP servers is finite.

I thought the RFC's were pretty clear about what should
happen when a message has a permanent failure.

> The point is that you are probably number 2 in the chain, in 
> which case you bounce to "big ISP", who should have stopped
> them in the first place, or you are number one in which case 
> you are killing the raw SMTP connection from the virus.

It is a peer connection.  Someone with a different scanner
may be doing the same to you.  There is nothing special about
ISP mail transports vs. anyone else's.  I'd say the majority
of my mail connections are directly with other corporate servers
(at least if we ignore spam).

> 2) Bouncing mail to an incorrect address infects someone new.  
> 
> Well perhaps, but remember that the typical virus has the
> whole address book to hand and emails TO every address, 
> substituting random address as the FROM.  So if the FROM
> clause was random then everyone would be on two emails, once as 
> the recipient and once as the FROM.  

And if tranports accept these and remove the virus,
none will ever propagate.  If they force them to
bounce through non-scanning transports they assist
the propagation.

> Now on the scales of getting people suspicious I
> have observed a couple of people who got the latest virus and didn't 
> notice, but when they started getting the bounce messages
> (incorrectly), saying message refused because there was a virus 
> they got suspicious and bought a virus scanner.  

Old viruses might get bounced to the sender.  New ones
are just as happy to propagate through the bounces to
innocent bystanders as the original target. 

> So I claim that a bounce message at least gets people's attention.

More likely it infects a new machine.

> I really don't see that it is any more complicated than
> this.  I personally would love to just accept the virus
> and drop it quietly, but this is unethical (see other email).
> You should NEVER quietly discard email and not tell someone.

Yes, this is why there is no practical difference in accepting,
then bouncing or rejecting at the SMTP level.  You are forcing
the prior hop to perform exactly the same bounce and it is
wrong for the same reason it would be wrong to do it yourself.


> So the next best thing would be for us all to just reject
> connections that we don't like and if enough people do it
> then eventually we are rejecting the connection at source
> (this has got to be a clue to the poor infected soul if
> they can't click send/recv without getting an error message
> from their ISP which says "Sorry you are infected with a
> virus you may not send email...", and the stuff never gets
> out in the first place.

Sorry, but I can't agree that the right way to fix a problem
is to make it worse for everyone else.  The source of the
problem isn't from ISPs anyway, it is the vulnerable software
that a certain monopoly put on everyone's desktop a few years
ago.  If you can figure out how to get rid of that, I'm with
you...

---
  Les Mikesell
    les at futuresource.com

More information about the MIMEDefang mailing list