Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Martin Pool mbp@samba.org
Tue Feb 10 15:33:11 PST 2004


On 10 Feb 2004, Ben Finney <ben@benfinney.id.au> wrote:
> On 10-Feb-2004, Martin Pool wrote:
> > In principle the smarthost admin could [manually determine the correct
> > recipient host for a reject you generate].
> > 
> > Of course if the admin was that smart and proactive then they probably
> > wouldn't be relaying viruses in the first place, would they?
> 
> Which, IMO, is pushing the problem in the right direction.  If I'm
> generating a reject for known viruses, then *whoever* is connecting to
> me and trying to pass it on needs to:
> 
>   - FOAD (if they're doing it intentionally)
>   - clean up their machine (if they're infected)
>   - implement virus-reject policies themselves (if they're a smarthost
>     blithely passing it on to me)

Yes, any of those would be nice.  But rejecting won't achieve them.

The primary (and usually only) effect of giving a reject to a message
coming through a smarthost is that a nondelivery message will go to an
innocent third party whose address was spoofed.  (Have you really not
seen these to your address?)

I don't have a virus infection, and my mailers don't pass viruses.
But I keep getting nondelivery messages because people reject viruses
forged from my address, rather than mopping them up.  How does that
help anything?

I suppose it's just conceivable that the smarthost owner might notice
all the 550s in their logs, and wonder what was going wrong.  But
let's face it, if they were examinining their logs they'd probably
notice all the 150kB outgoing messages with forged addresses, wouldn't
they?

> In all these cases, an SMTP-time reject seems my most appropriate
> course.  If you're an unwitting vector for malware, it's your
> responsibility these days to damned well *get* some wit, and stop being
> a vector. 

I too wish people would not let their relays forward viruses.

> How does dropping the message silently move us forward?

Not at all.  However, rejecting them makes it worse, by generating
extra noise to people who can do nothing about it.  First, do no harm.

If you wanted to bring the problem to the attention of somebody who
could do something about it, you would e.g. look up the domain of the
sender's IP and send mail to their postmaster.

-- 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040211/c038b563/attachment.pgp 


More information about the linux-elitists mailing list