[Mimedefang] calling action_bounce() for viruses

James Ralston qralston+ml.mimedefang at andrew.cmu.edu
Fri Sep 26 00:12:02 EDT 2003 

On 2003-09-25 at 14:47:12-0700 Jeremy Mates <jmates at sial.org> wrote:

> * James Ralston <qralston+ml.mimedefang at andrew.cmu.edu>
> > Sites which don't want to risk losing legitimate mail may want to
> > call action_bounce() instead of action_discard() when a virus is
> > detected, even if the virus detected is one which is known to
> > forge the envelope sender.
> 
> This wastes time for users the malware is forging, via discard spam
> and messages from other people saying "you have a virus!" or "stop
> sending me these!"

I understand this argument, but I don't agree with it.

> A better option, depending on resources and setup, would be to log
> all the relevant message details or quarantine the message, and have
> a priodic script that generates reports to users and otherwise paws
> through the log records and quarantine directory.  That way, the
> user can review the periodic summary, and at least have a chance to
> see whether something important looks like it was thrown out.

This is completely infeasible.  Our site alone received more than
250,000 copies of Sobig-F.  That's approximately 500 copies for every
single person at our organization; there's no way people would review
them to find the few kernels of wheat in the chaff.

IMHO:

If viral content is detected in a message from an external sender,
bouncing (via a SMTP 5xx code) the message is the correct thing to do.
This is because bouncing the message will ensure that the entire
message--including the viral content--is returned to the (forged)
envelope sender.  This permits the envelope sender's mail system to
detect the embedded viral content and reject the bounce message.
Since the bounce message was sent with a null envelope sender address
(a null reverse-path, in RFC2821 parlance), the entire message is
simply discarded.  Result: the virus goes to the bitbucket, and no one
is bothered by it.

Yes, it's true that if the (forged) envelope sender's mail systems
aren't scanning incoming email for viruses, the envelope sender will
receive a confusing bounce message about a message he didn't send.
But it's 2003, soon to be 2004.  Any ISP/organization which isn't yet
filtering email viruses at the mail gateway is incompetent, period.
And I feel no particular obligation to risk losing legitimate mail
just so incompetent sites aren't bothered by spurious bounce messages.

Sending a *separate message* (e.g., using action_notify_sender()) when
viral content is detected *IS* evil, because the "you sent us a
virus!" message doesn't INCLUDE the damn virus which triggered the
message, which makes it extremely difficult for the mail system of the
forged envelope sender to realize the "you sent us a virus!" message
is junk and should be rejected.  This is why I agree with David that
action_notify_sender() should refuse to function if any of the
*_contains_virus() functions detected a virus.

The greatest harm usually comes from the best of intentions.  The
people who advocate silently discarding messages with viral content
mean well, but they are violating the shining tenet that has been the
reliability of email for the past 15 years: EMAIL IS NEVER LOST OR
DISCARDED.  If email becomes useless as a tool for communication, it
won't be because of spammers and virus writers; it will be because of
well-intentioned but nonetheless misguided countermeasures deployed to
combat the spammers and virus writers.

We have taken what we believe to be the best courses of action:

    1.  We accept no viruses: our mail systems bounce (via a SMTP 5xx
        code) all messages from external senders which contain viral
        content.

    2.  We emit no viruses: a message which contains viral content but
        originated internally is not permitted to escape to the
        outside world.  Instead, a copy of the message is quarantined,
        the message is discarded, and a virus alert message (with
        details) is sent to an internal mailing list.  At that point,
        a klaxon sounds, our 4-person anti-virus team locates the
        infected computer, runs to the office in question, and kicks
        the door down.  One person disinfects the computer, two people
        hold the user down, and the fourth person beats the user over
        the head with a giant plastic hammer while shouting "NO!  BAD
        USER!  DON'T CLICK ON UNEXPECTED ATTACHMENTS!  BAD USER!"

(Okay, the last two sentences are my fantasy of what I'd like to see
happen.  But otherwise, this is the way it works.)

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA

More information about the MIMEDefang mailing list