[Mimedefang] Re: calling action_bounce() for viruses

F.M. Taylor ftaylor1 at mymail.indstate.edu
Fri Sep 26 10:24:01 EDT 2003 

FWIW, I believe that calling discard instead of bounce is the best thing to do. 
Lemme 'splain why?

Case#1
If you have a virii infected machine and you are sending mail to my system that 
is virii infected, and I drop the message, there is almost no EXTRA load on my 
system to handle it.  The problem is that the only indication that your machine 
is infected is the fact that none of your messages ever seem to make it here. 
This is not a problem for me, but might be for you, but I am protecting my 
users, I don't care what happens to you, or your mail.

Case#2
Same as above, except that I attempt to bounce the message, along with everyone 
else in the world who is bouncing the message.  I MAY be able to contact your 
mailhost on the first try and send the message back, I may not, in which case I 
have to queue it and try again.  This puts an extra load on my server for 
something that neither on of us wants, a virii infected message.


The problem becomes even worse if your mailhost doesn't want the message either, 
now we are putting extra load on BOTH servers in the rejection communication, 
tying up resources that could be better used elsewhere.

While rejecting ONE message is not a big deal as far as server load goes, 
rejecting a thousand or a million, of these things takes time.  Time that my 
mailserver doesn't have to spare.

The problem becomes "just plain silly" if you didn't actually send the message, 
it just came through your mailhost AS you.  Now we start getting into man hours 
trying to figure out if your machine is really infected, who sent you this bogus 
rejection, are they infected, should you notify them, etc.

While I will agree that action_bounce is the "good and proper" thing to do, it 
is just not practical in the real world.  If I just drop the virii, you may be 
confused why your message didn't go through, but you will call YOUR support 
center, not mine.  If you didn't actually send the message, you are relieved of 
the annoyance of getting the bounce and so is your mailhost.

Of course YMMV.

-- 
Mike Taylor. GSEC/GCFW 'Non Impediti Ratione Cogitationis'
Coordinator of Systems Administration and Network Security
Indiana State University.               Rankin Hall Rm 052
210 N 7th St.                             Terre Haute, IN.
Voice: 812-237-8843

More information about the MIMEDefang mailing list