[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications
Les Mikesell
les at futuresource.com
Thu Jun 30 13:17:46 EDT 2005
On Thu, 2005-06-30 at 10:47, WBrown at e1b.org wrote:
> > You didn't answer when I asked this before so I'll try again. Viruses
> > virtually always use legitimate addresses found in the local contact
> > list or headers of received email - just not the real sender. How
> > does your system ensure that rejections by the next hop can only
> > be returned to the real sender, not a forged address? If you can't
> > do this yourself, how can you expect the rest of the world to do it?
> > If you can, I'd like to know how.
>
> Is that legitimate address the authorized user?
It is likely to be the address of a possible authorized user on your
system if your users send mail to each other, just not the one you
accept the message from.
> The email should only be
> relayed when the sender is the authorized user, ie. the owner of the
> machine. And such a person deserves the all bounces, a thousand times
> over!
How do you determine, when the next hop rejects, that you construct
the bounce only to the original sender, not an address that was
forged by a virus on that sender's machine?
> If the admin is sloppy enough to not check for authorized user, and not
> running AV, they are probably sloppy enough to get their systems listed on
> the RBLs.
I don't see how any of this is relevant. Even if you checked for an
authorized user before accepting the message, how do you tie that to
a matching bounce address after it has been queued and the attempt to
forward is rejected?
> And the sender is not always pulled from the local machine. Most Sober
> variants make up the sender.
There are thousands of viruses and there will be more, so how your
favorite behaves today doesn't matter much. I see bounced mail all
the time with addresses that can only have come from headers that
I've sent, but not from any machines that I know about. So far it
is mostly spam, probably from forwarding zombies but there is a
virus/worm/trojan that has to spread first to cause this and the
viruses are probably using the same mechanism to spread.
--
Les Mikesell
les at futuresource.com
More information about the MIMEDefang
mailing list