Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Martin Pool mbp@sourcefrog.net
Mon Feb 9 23:20:52 PST 2004


On  4 Feb 2004, "Karsten M. Self" <kmself@ix.netcom.com> wrote:

> > It does add to the problem. Forged-sender worm hits your server, you
> > reject it, thus kicking the client MTA into sending a bounce.
> 
> No.
> 
> Your 55x reject causes:
> 
>   - A virus with a minimal SMTP server to not give a whit.
> 
>   - A smarthosted SMTP server to reject the mail to the sending client.
>     Which it, unlike you, can identify.

Wow, really?  You have a smarthost so smart that when a client
connects to it and forges envelopes and headers, the smarthost can
still work out the right address to send the bounce?  I'd like to see
that.  That is a hell of a smart host to work out the right address
from thin air.

How, specifically, does the smarthost know which where to send the
rejection message?  Bear in mind that the client who submitted the
virus to the smarthost has closed the SMTP connection, and may not
even be reachable at the same IP address.

In principle the smarthost admin could look in the server log and use
the message ID to match up the rejection with the IP address of the
incoming message.  Then they need to match that IP to the human owner,
which might be possible in some ISPs, but might not be possible on say
a DHCP LAN.  Then they need to work out the right address for that
person.  A good admin might be able to do it but I don't think many
MTAs can.  (Actually, this might make a pretty good product or
project...)

Of course if the admin was that smart and proactive then they probably
wouldn't be relaying viruses in the first place, would they?

> > Aren't you sick of getting these yet (or blocking them)? 
> 
> What I'm sick of is explaining to people who really should know better
> the difference between an SMTP reject and an email nondelivery
> notification based on spoofed headers.

OK, but there is another case you're not considering: sending a reject
causes the smarthost to generate a bounce.  That bounce will *always*
go to the wrong address.  

Generating rejects for known viruses only adds to the problem without
achieving anything useful.  It is impossible for a rejection or bounce
to ever get anywhere useful.  

For known viruses, the only sensible policy is to accept them and
either drop, sanitize, or quarantine them.  You can pick any one of
these, depending on whether you think the chance of getting a
non-virus .EXE is zero or just nearly zero.  But please don't reject
them.

-- 
Martin



More information about the linux-elitists mailing list