[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

Les Mikesell les at futuresource.com
Thu Jun 30 13:17:46 EDT 2005 

On Thu, 2005-06-30 at 10:47, WBrown at e1b.org wrote:
> > You didn't answer when I asked this before so I'll try again. Viruses
> > virtually always use legitimate addresses found in the local contact
> > list or headers of received email - just not the real sender.  How
> > does your system ensure that rejections by the next hop can only
> > be returned to the real sender, not a forged address?  If you can't
> > do this yourself, how can you expect the rest of the world to do it?
> > If you can, I'd like to know how.
> 
> Is that legitimate address the authorized user?

It is likely to be the address of a possible authorized user on your
system if your users send mail to each other, just not the one you
accept the message from.

>   The email should only be 
> relayed when the sender is the authorized user, ie. the owner of the 
> machine.  And such a person deserves the all bounces, a thousand times 
> over!

How do you determine, when the next hop rejects, that you construct
the bounce only to the original sender, not an address that was
forged by a virus on that sender's machine?

> If the admin is sloppy enough to not check for authorized user, and not 
> running AV, they are probably sloppy enough to get their systems listed on 
> the RBLs.

I don't see how any of this is relevant.  Even if you checked for an
authorized user before accepting the message, how do you tie that to
a matching bounce address after it has been queued and the attempt to
forward is rejected?  

> And the sender is not always pulled from the local machine.  Most Sober 
> variants make up the sender.

There are thousands of viruses and there will be more, so how your
favorite behaves today doesn't matter much. I see bounced mail all
the time with addresses that can only have come from headers that
I've sent, but not from any machines that I know about. So far it
is mostly spam, probably from forwarding zombies but there is a
virus/worm/trojan that has to spread first to cause this and the
viruses are probably using the same mechanism to spread.

-- 
  Les Mikesell
    les at futuresource.com

More information about the MIMEDefang mailing list