On Fri, 2004-03-05 at 12:37, Josh Kelley wrote:I'm not suggesting sending out "you sent this message" notifications; I know that's a bad idea. I'm suggesting using action_bounce, which rejects the message at the SMTP level, instead of action_discard, which accepts the message and silently discards it.
1. Most mass-mailing viruses are sent directly by the virus, in which case no one will see any bounces generated.
Right and Wrong. Most mass mailing viruses are sent by the virus, but
with a spoofed email address that can be either something in the mailbox
or some other item. I get about 20 you sent this virus that I couldnt
have sent every week.
In this case, the only time someone would see the bounce is if the virus sends a copy of itself through unprotected mail server A, unprotected mail server A tries to relay the message to protected mail server B, which rejects the message, so then unprotected mail server A tries to generate an error message to the forged sender address. The proper fix for this problem, I think, is for mail server A to add virus protection, not for mail server B to start silently discarding email that it can't guarantee has no valid content.
If the virus sends a copy of itself through unprotected mail server A, and unprotected mail server A tries to relay the message to an invalid email address on mail server B, then mail server B will reject the message regardless of how it handles viruses, and then unprotected mail server A still tries to generate an error message to the forged sender address. So viral bounces can still get generated whether the mail server bounces or discards viruses.2. Bounces will be generated anyway, if a mass-mailed virus is sent to an invalid email address, so avoiding action_bounce won't stop bounced viruses.
If it isnt sent.. then it wont create anything. The discard kills the
SMTP session.
My argument is that if a mail server silently drop all viral messages, it risks losing valid content. I don't know of a good way to prevent this.3. If the the virus is, for example, a Word macro virus, it shouldn't be silently dropped.
Eh? I dont know if that is correct either. You still have to assume that you are sending the bounce to the correct person. If people could/do put in such conditional rules (if binary-virus->kill else if word->bounce then the spam/child-porn/mafia/anyone-else-making-money-of-viruses would just then use that as a new novel way to get mass mailings done. [Send bad email with porn/spam/etc with word-macro-virus and have the forged sender be the person you want to send the spam to in the first place.. bang you are assured that person will get tons of your spam because people are going to bounce it to the recipient.]
Your argument is that if a mail server bounces viral messages, then it can conceivably used to spam people. This can be prevented by adding virus protection to mail servers and by various anti-spam methods currently available.
Most of the viruses that I get at my mail server come directly from infected computers, if I'm reading my mail server logs correctly.4. To summarize, in the man page's words, "It's almost never a good idea to hide a problem."
No it isnt.. but it doesnt really not hide the problem. Most of these viruses I see here have already been sent through 1-2 mail-relays and the original host/sender is impossible to track down. I cant tell who sent the virus so I cant tell them to clean their machine. Me sending back a bounce that goes to an innocent 3rd party who didnt send the email just makes the problem worse.. as they have no idea why they are getting this email.
I'm not particularly interested in tracking down the original sender of the virus. I am interested in letting someone know that their email was rejected if they try to email a viral message.
Again, I'd like to know why the recommendation in MIMEDefang 2.40 was changed from action_bounce to action_discard.
Josh Kelley
_______________________________________________ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
