[Mimedefang] ClamAV's Worm/Trojan/Joke/W97M classifications

James Ebright jebright at esisnet.com
Thu Jun 30 14:27:51 EDT 2005

On Thu, 30 Jun 2005 10:44:59 -0400, Chris Gauch wrote
> Les Mikesell wrote:

> Exactly.  Unless you break into the MX host at the next hop and set 
> all of its policies and have the miraculous ability to actually 
> figure out where the message was *really* sent from, you're out of 
> luck regardless.

It is being sent from the IP ADDRESS THAT IS TALKING TO YOUR MTA, there is
ZERO QUESTION OF THIS. When you reject a message with a 5xx that sending IP is
the MTA that recieved the 5xx and has to figure out what to do with the
message... my server did not issue a bounce and doesn't care about ANY of the
recipients or senders... it is ALL IRRELEVANT.... is that so hard to understand.

Yes, if the other server happens to be a valid MTA and not a zombied box (liek
your email forwarding example) then it is supposed to generate a bounce
message to the envelope from, which is probably forged... again...   not my
problem, and the sending MTA can easily avoid the issue as well by simply
deploying Antivirus software and not relaying infected messages. Any blow-back
from this using a forged domain that you own can be easily handled via SPF (or
Mimedefang filters). Regardless, a properly administered MTA should NEVER
relay an infected message in the first place.

Simply stated... your server should idealy only ever recieve email viruses
from MUAs and zombies PCs, if we recieve several from an MTA we typically
blacklist that MTA for a period of time anyway, if it continues after removal
then they get a semi-permanent addition to our blacklist.

> Ultimately, the virus is NOT sent back to where 
> it came from.  

The reject sends it back EXACTLY to the IP that was trying to send it to your

> It is sent to some innocent person's inbox; and if 
> you consider the dark side and step into the virus writer's shoes, 
> wouldn't you have been able to see through how standards-conforming 
> MTAs deal with rejections/bounces, and sat back with a certain 
> degree of satisfaction while other valid MTAs (although acting 
> accordingly and properly by rejecting/bouncing unacceptable mail), 
> were really helping to spread your virus?

So in your opinion it is better to hide that a MTA is relaying viruses than to
porerly notify then and get it fixed? out of sight out of mind?

EsisNet.com Webmail Client

More information about the MIMEDefang mailing list