On Fri, 2005-07-01 at 08:24, Jim McCullars wrote: > > No, this is the other side of the same SMTP conversation. I'm asking > > you to consider what a rejection sets in motion. > > Because I am scanning at the MX for my domain, and because the vast > majority of these viruses come from a hijacked PC with its own SMTP engine > that don't do returns, I think that most of them end there.
Once again, consider what happens in this scenario: a new virus is introduced that your scanner doesn't catch yet. A machine in your domain is sending messages with every permutation of addresses it can find in it's contact list and received emails as the To: and From: addresses through your outbound relay. A receiving relay has a better scanner or just pulled the update that catches this one. Would you prefer it to drop the message quietly or issue a reject, knowing that the bounce to the forged From: is very likely to infect another one of your user's machines? If there are 8,000 new viruses introduced in a year and it takes several days to identify them in the scanners, this is not at all unlikely. Our company submitted one to McAfee, Symantic, and Clam on a weekend and the update didn't include it until Tuesday for McAfee and Symantic, and Clam didn't add it until we resubmitted with one of the commercial scanner's identifiers. That one was generating so much network traffic that it literally took down the network - our redundant Cisco's both decided to take over because they couldn't see each other's HSRP heartbeats. After that experience I'm convinced that anything that identifies a virus should do everything possible to make sure it does not reach another windows machine. > > There really is no question about what you have to do with a negative > > DSN from the next MTA. Likewise they have no choice about what to > > do when you issue one. > > Again, you are assuming that these virus programs perform to standards. > I think this is an erroneous assumption. No, I am talking about programs that forward through the relay they find configured in outlook. Some do, some don't. I'd expect more and more to do that, or try both ways as more ISPs block port 25 to home connections except to their own relays. The reason viruses keep getting worse is that each new one can combine all of the old ways of spreading to have a better chance to spread before the scanner definitions start to block them. -- Les Mikesell [EMAIL PROTECTED] _______________________________________________ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list [email protected] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
