[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Chris Gauch cgauch at digicon.net
Thu Jun 30 10:44:59 EDT 2005

Les Mikesell wrote:

> You didn't answer when I asked this before so I'll try again. Viruses
> virtually always use legitimate addresses found in the local contact
> list or headers of received email - just not the real sender.  How
> does your system ensure that rejections by the next hop can only
> be returned to the real sender, not a forged address?  If you can't
> do this yourself, how can you expect the rest of the world to do it?
> If you can, I'd like to know how.

Exactly.  Unless you break into the MX host at the next hop and set all of
its policies and have the miraculous ability to actually figure out where
the message was *really* sent from, you're out of luck regardless. 

It's always fun to return fire and send junk back to where it came from, but
in the case of viruses (where real email addresses are forged in both the
FROM and the TO), innocent bystanders are brought into the crossfire.
Ultimately, the virus is NOT sent back to where it came from.  It is sent to
some innocent person's inbox; and if you consider the dark side and step
into the virus writer's shoes, wouldn't you have been able to see through
how standards-conforming MTAs deal with rejections/bounces, and sat back
with a certain degree of satisfaction while other valid MTAs (although
acting accordingly and properly by rejecting/bouncing unacceptable mail),
were really helping to spread your virus?

- Chris    

Chris Gauch
Systems Administrator
Digicon Communications, Inc.
cgauch at digicon.net
(716) 583-1254

More information about the MIMEDefang mailing list