[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Kelson
kelson at speed.net
Fri Jul 1 12:20:05 EDT 2005
Les Mikesell wrote:
> For any definition of 'valid MTA', an SMTP rejection *will* generate a
> bounce. For any recent virus and much spam, the bounce will go to
> some innocent and unrelated address, which may in fact be the intended
> target.
As an example, some Mytob(?) variants forge addresses like
support at targetdomain or admin at targetdomain. (The virus in question
masquerades as an account suspension notice.) For various reasons, we
reject anything coming in from outside claiming to be from those
addresses with "554 5.7.1 Forgery attempt detected: you do not have
permission to send using this address."
Naturally, several times a week we get NDRs sent *to* those addresses
explaining that the message "we" tried to send could not be delivered.
Clearly, for whatever reason some of these *are* being relayed through a
real MTA. Half the time the target address doesn't even exist, and we
would still be getting the "User unknown" NDRs if we weren't rejecting
them in filter_sender.
--
Kelson Vibber
SpeedGate Communications <www.speed.net>
More information about the MIMEDefang
mailing list