[Mimedefang] MIMEDefang 2.40 is released

Josh Kelley josh at jbc.edu
Mon Mar 8 14:18:39 EST 2004


Stephen Smoogen wrote:

>On Fri, 2004-03-05 at 12:37, Josh Kelley wrote:
>  
>
>>1.  Most mass-mailing viruses are sent directly by the virus, in which 
>>case no one will see any bounces generated.
>>    
>>
>
>Right and Wrong. Most mass mailing viruses are sent by the virus, but
>with a spoofed email address that can be either something in the mailbox
>or some other item. I get about 20 you sent this virus that I couldnt
>have sent every week.
>  
>
I'm not suggesting sending out "you sent this message" notifications; I 
know that's a bad idea.  I'm suggesting using action_bounce, which 
rejects the message at the SMTP level, instead of action_discard, which 
accepts the message and silently discards it.

In this case, the only time someone would see the bounce is if the virus 
sends a copy of itself through unprotected mail server A, unprotected 
mail server A tries to relay the message to protected mail server B, 
which rejects the message, so then unprotected mail server A tries to 
generate an error message to the forged sender address.  The proper fix 
for this problem, I think, is for mail server A to add virus protection, 
not for mail server B to start silently discarding email that it can't 
guarantee has no valid content.

>>2.  Bounces will be generated anyway, if a mass-mailed virus is sent to 
>>an invalid email address, so avoiding action_bounce won't stop bounced 
>>viruses.
>>    
>>
>
>If it isnt sent.. then it wont create anything. The discard kills the
>SMTP session.
>  
>
If the virus sends a copy of itself through unprotected mail server A, 
and unprotected mail server A tries to relay the message to an invalid 
email address on mail server B, then mail server B will reject the 
message regardless of how it handles viruses, and then unprotected mail 
server A still tries to generate an error message to the forged sender 
address.  So viral bounces can still get generated whether the mail 
server bounces or discards viruses.

>>3.  If the the virus is, for example, a Word macro virus, it shouldn't 
>>be silently dropped.
>>    
>>
>
>Eh? I dont know if that is correct either. You still have to assume that
>you are sending the bounce to the correct person. If people could/do put
>in such conditional rules (if binary-virus->kill else if word->bounce
>then the spam/child-porn/mafia/anyone-else-making-money-of-viruses would
>just then use that as a new novel way to get mass mailings done. [Send
>bad email with porn/spam/etc with word-macro-virus and have the forged
>sender be the person you want to send the spam to in the first place..
>bang you are assured that person will get tons of your spam because
>people are going to bounce it to the recipient.]
>
>  
>
My argument is that if a mail server silently drop all viral messages, 
it risks losing valid content.  I don't know of a good way to prevent this.

Your argument is that if a mail server bounces viral messages, then it 
can conceivably used to spam people.  This can be prevented by adding 
virus protection to mail servers and by various anti-spam methods 
currently available.

>>4.  To summarize, in the man page's words, "It's almost never a good 
>>idea to hide a problem."
>>
>>    
>>
>
>No it isnt.. but it doesnt really not hide the problem. Most of these
>viruses I see here have already been sent through 1-2 mail-relays and
>the original host/sender is impossible to track down. I cant tell who
>sent the virus so I cant tell them to clean their machine. Me sending
>back a bounce that goes to an innocent 3rd party who didnt send the
>email just makes the problem worse.. as they have no idea why they are
>getting this email.
>
>  
>
Most of the viruses that I get at my mail server come directly from 
infected computers, if I'm reading my mail server logs correctly.

I'm not particularly interested in tracking down the original sender of 
the virus.  I am interested in letting someone know that their email was 
rejected if they try to email a viral message.

Again, I'd like to know why the recommendation in MIMEDefang 2.40 was 
changed from action_bounce to action_discard.

Josh Kelley



More information about the MIMEDefang mailing list