[Mimedefang] Re: calling action_bounce() for viruses

Stas Ukolov tigrus at pisem.net
Tue Sep 30 23:19:02 EDT 2003 

Hi, Les!

LM> On Tue, 2003-09-30 at 12:00, Lucas Albers wrote:
>> My philosophy is that:
>> Mail is never ever discarded, it is bounced and quarantined for a few days.
>> I have never had a complaint from a bounce back on mail I bounced. Ever.
>> Spam/Virus emails aren't bounced off to their fake sender address by malware.
>> 

LM> OK, if you're the one who has been sending any of the hundreds of
LM> bounces claiming I sent a virus that I've gotten recently, take this
LM> as a complaint.

Most people here don't know difference between two different things:
1) Bounce, i.e. SMTP responce 550
2) Negative DSN

First one means server didn't agree to receive mail. This is what
action_bounce() does.

Seconde one means server accepted message, then determined is 'bad' in
some sence and sent warning to address of 'sender' - real or forged -
which was in mail _header_.

All 'bounces' you get are negative DSN (I'm not sure but probability
is more then 95%). Malicious sender sends virii/spam with your address
in header, so bounces (in fact, negative DSN) go to you. That is.

Of course, bounce (first) can become negative DSN if mail goes thru
another mailserver. But in this case: if we are are sure the mail is
spam/virus we can conclude that mailserver is either misconfigured or
is spammer/virus infected. In that case we must ASAP inform its admin
and block it _entirely_ until its configuration fixed.

So: when we get negative DSN that was a bounce first, it's not a spam
- it's a sign we should immediately 1) inform mailserver's
administrator (not mail sender!!!) 2) post mailserver to open
relay/open proxy/RBL for testing.

In fact I never got any negative DSN that was bounces first. May be
I'm lucky but - in fact - they are _much_ less frequent beasts then
malformed negative DSN. Real negative DSN are real spam and must be
avoided. Bounces are good: in 90% cases they go to real sender not
forged sender and even when they go to third party they are still
useful.

So, I vote for using action_bounce()!

WBR
 Stas                          mailto:tigrus at pisem.net

More information about the MIMEDefang mailing list