[Mimedefang] SoBig makes me rethink policy...

Michael Sims michaels at crye-leike.com
Thu Sep 4 18:33:01 EDT 2003 

mimedefang-admin at lists.roaringpenguin.com wrote:
> Hi,
>
> Because of the enormous volume of mail from SoBig, I've reluctantly
> changed my policy on viruses from action_bounce to action_discard.
> All the stupid virus-notification messages were irritating me, and I
> realize that spurious bounce messages are just as irritating.
>
> So I now recommend action_discard for viruses.  What a sad day for
> Internet e-mail when you have to violate (the spirit, at least) of
> RFC's to make life manageable.  Thanks, Micro$oft.

Even though it had always been on my todo list, it took Sobig.F to finally
convince me to drop what I was doing and configure my secondary mail
exchanger so that it is aware of which accounts exist on the primary and can
therefore reject unknown users during the SMTP conversation, rather than
blindly accepting everything and then generating bounces to forged senders.
The amount of bogus bounces and virus notifications that Sobig has generated
just boggles my mind.  A vast majority of them came from AOL servers, but
there is a thread over on the Spam-L list that indicates that AOL is aware
of this and slowly but surely converting all of their dumb relays into smart
relays, so that should help.  I've had to put some really ugly hacks into my
mimedefang-filter to discard not only Sobig, but all Sobig-generated spew
including invalid bounces.  In the past five days I've silently discarded
47,884 messages, a vast majority of which are not actually Sobig, but are
Sobig generated bounces or bogus virus notifications (Declude Virus wins the
prize for the latter).

If mail server admins don't start configuring their relays to know which
accounts exist then the bogus bounce problem is going to get worse.  I'm
concerned that pretty soon the whole concept of DSN's will be ruined by
forging viruses and joe-jobs.  End lusers tend to ignore or delete DSN's
anyway, but it may get to the point that clued individuals actually start
doing the same thing.  And that is very sad as well...

___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648  Pager: (901)769-3722
___________________________________________

More information about the MIMEDefang mailing list