[Mimedefang] MIMEDefang 2.40 is released

Stephen Smoogen smoogen at lanl.gov
Fri Mar 5 15:03:09 EST 2004 

On Fri, 2004-03-05 at 12:37, Josh Kelley wrote:
> David F. Skoll wrote:
> 
> >On Fri, 5 Mar 2004, Josh Kelley wrote:
> >
> >>he mimedefang-filter manpage still recommends using action_bounce
> >>rather than action_discard.  Is action_bounce no longer recommended?
> >>    
> >>
> >Right.  I should fix the man page.
> >
> I'm sure that this topic has come up many times on the list before, and 
> I'm sorry for bringing it up again, but the last time I remember seeing 
> it discussed here, I thought that the general consensus was that bounce 
> was better, for roughly the following reasons:
> 
> 1.  Most mass-mailing viruses are sent directly by the virus, in which 
> case no one will see any bounces generated.

Right and Wrong. Most mass mailing viruses are sent by the virus, but
with a spoofed email address that can be either something in the mailbox
or some other item. I get about 20 you sent this virus that I couldnt
have sent every week.

> 2.  Bounces will be generated anyway, if a mass-mailed virus is sent to 
> an invalid email address, so avoiding action_bounce won't stop bounced 
> viruses.

If it isnt sent.. then it wont create anything. The discard kills the
SMTP session.

> 3.  If the the virus is, for example, a Word macro virus, it shouldn't 
> be silently dropped.

Eh? I dont know if that is correct either. You still have to assume that
you are sending the bounce to the correct person. If people could/do put
in such conditional rules (if binary-virus->kill else if word->bounce
then the spam/child-porn/mafia/anyone-else-making-money-of-viruses would
just then use that as a new novel way to get mass mailings done. [Send
bad email with porn/spam/etc with word-macro-virus and have the forged
sender be the person you want to send the spam to in the first place..
bang you are assured that person will get tons of your spam because
people are going to bounce it to the recipient.]

> 4.  To summarize, in the man page's words, "It's almost never a good 
> idea to hide a problem."
> 

No it isnt.. but it doesnt really not hide the problem. Most of these
viruses I see here have already been sent through 1-2 mail-relays and
the original host/sender is impossible to track down. I cant tell who
sent the virus so I cant tell them to clean their machine. Me sending
back a bounce that goes to an innocent 3rd party who didnt send the
email just makes the problem worse.. as they have no idea why they are
getting this email.

> Why the change in recommendation?
> 
> Again, sorry for rehashing old material.
> 
> Josh Kelley
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
-- 
Stephen John Smoogen		smoogen at lanl.gov
Los Alamos National Lab  CCN-5 Sched 5/40  PH: 4-0645
Ta-03 SM-1498 MailStop B255 DP 10S  Los Alamos, NM 87545
-- So shines a good deed in a weary world. = Willy Wonka --

More information about the MIMEDefang mailing list