[Mimedefang] MIMEDefang 2.40 is released
Josh Kelley
josh at jbc.edu
Mon Mar 8 14:18:39 EST 2004
Stephen Smoogen wrote:
>On Fri, 2004-03-05 at 12:37, Josh Kelley wrote:
>
>
>>1. Most mass-mailing viruses are sent directly by the virus, in which
>>case no one will see any bounces generated.
>>
>>
>
>Right and Wrong. Most mass mailing viruses are sent by the virus, but
>with a spoofed email address that can be either something in the mailbox
>or some other item. I get about 20 you sent this virus that I couldnt
>have sent every week.
>
>
I'm not suggesting sending out "you sent this message" notifications; I
know that's a bad idea. I'm suggesting using action_bounce, which
rejects the message at the SMTP level, instead of action_discard, which
accepts the message and silently discards it.
In this case, the only time someone would see the bounce is if the virus
sends a copy of itself through unprotected mail server A, unprotected
mail server A tries to relay the message to protected mail server B,
which rejects the message, so then unprotected mail server A tries to
generate an error message to the forged sender address. The proper fix
for this problem, I think, is for mail server A to add virus protection,
not for mail server B to start silently discarding email that it can't
guarantee has no valid content.
>>2. Bounces will be generated anyway, if a mass-mailed virus is sent to
>>an invalid email address, so avoiding action_bounce won't stop bounced
>>viruses.
>>
>>
>
>If it isnt sent.. then it wont create anything. The discard kills the
>SMTP session.
>
>
If the virus sends a copy of itself through unprotected mail server A,
and unprotected mail server A tries to relay the message to an invalid
email address on mail server B, then mail server B will reject the
message regardless of how it handles viruses, and then unprotected mail
server A still tries to generate an error message to the forged sender
address. So viral bounces can still get generated whether the mail
server bounces or discards viruses.
>>3. If the the virus is, for example, a Word macro virus, it shouldn't
>>be silently dropped.
>>
>>
>
>Eh? I dont know if that is correct either. You still have to assume that
>you are sending the bounce to the correct person. If people could/do put
>in such conditional rules (if binary-virus->kill else if word->bounce
>then the spam/child-porn/mafia/anyone-else-making-money-of-viruses would
>just then use that as a new novel way to get mass mailings done. [Send
>bad email with porn/spam/etc with word-macro-virus and have the forged
>sender be the person you want to send the spam to in the first place..
>bang you are assured that person will get tons of your spam because
>people are going to bounce it to the recipient.]
>
>
>
My argument is that if a mail server silently drop all viral messages,
it risks losing valid content. I don't know of a good way to prevent this.
Your argument is that if a mail server bounces viral messages, then it
can conceivably used to spam people. This can be prevented by adding
virus protection to mail servers and by various anti-spam methods
currently available.
>>4. To summarize, in the man page's words, "It's almost never a good
>>idea to hide a problem."
>>
>>
>>
>
>No it isnt.. but it doesnt really not hide the problem. Most of these
>viruses I see here have already been sent through 1-2 mail-relays and
>the original host/sender is impossible to track down. I cant tell who
>sent the virus so I cant tell them to clean their machine. Me sending
>back a bounce that goes to an innocent 3rd party who didnt send the
>email just makes the problem worse.. as they have no idea why they are
>getting this email.
>
>
>
Most of the viruses that I get at my mail server come directly from
infected computers, if I'm reading my mail server logs correctly.
I'm not particularly interested in tracking down the original sender of
the virus. I am interested in letting someone know that their email was
rejected if they try to email a viral message.
Again, I'd like to know why the recommendation in MIMEDefang 2.40 was
changed from action_bounce to action_discard.
Josh Kelley
More information about the MIMEDefang
mailing list