[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Chris Gauch
cgauch at digicon.net
Thu Jun 30 10:02:07 EDT 2005
James Ebright wrote:
> If it is a valid MTA that the
> message was relayed through your reject will most likely end up in the
> "postmasters" inbox as the "sender" email address is almost certainly
> forged... this has the effect of making the administrators of the relaying
> MTA
> aware that they have an issue.
Not really, if you consider the amount of obfuscation and spoofing (IP, FROM
address, etc.) in the header, it is often very difficult to trace the source
of the message, so good luck finding the offending MTA and/or source of the
virus.
And as for winding up in the postmasters inbox, that's not necessarily true.
Viruses often exploit a *legitimate* sender's *real* address book, so the
addresses it sends to are almost certainly *real*. That's why a bounce can
ultimately end up in someone's inbox, where the bounce will contain the
virus (left in-tact thanks to a 5xx rejection), perpetuating the existence
of the virus. What's so bad about throwing away a virus? It's like having
a rotten, infected perishable food item laying on the floor, and instead of
just throwing it out, you pass it off to your coworker or friend to throw
out because you *think* he/she might have left it there.
- Chris
More information about the MIMEDefang
mailing list