Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Ben Finney ben@benfinney.id.au
Tue Feb 10 15:49:07 PST 2004


On 11-Feb-2004, Martin Pool wrote:
> On 10 Feb 2004, Ben Finney <ben@benfinney.id.au> wrote:
> > Which, IMO, is pushing the problem in the right direction.  If I'm
> > generating a reject for known viruses, then *whoever* is connecting
> > to me and trying to pass it on needs to:
> > 
> >   - FOAD (if they're doing it intentionally)
> >   - clean up their machine (if they're infected)
> >   - implement virus-reject policies themselves (if they're a
> >     smarthost blithely passing it on to me)
> 
> Yes, any of those would be nice.  But rejecting won't achieve them.
> 
> The primary (and usually only) effect of giving a reject to a message
> coming through a smarthost is that a nondelivery message will go to an
> innocent third party whose address was spoofed.  (Have you really not
> seen these to your address?)

And that bounce message will come from the relay host (the smarthost, in
your scenario) which tried to pass it on to me.  They dropped the ball
by failing to reject it themselves; they can take the heat for the
bounce message.


> I don't have a virus infection, and my mailers don't pass viruses.
> But I keep getting nondelivery messages because people reject viruses
> forged from my address, rather than mopping them up.  How does that
> help anything?

How does "mopping them up" apply?  That term would imply, to me, getting
rid of the malware from the infected system.  How can the recipient do
that?

If you mean "dropping them silently", that hides the fact that a system
is acting as a malware vector.  An SMTP-time reject allows that vector
to be identified.


> I suppose it's just conceivable that the smarthost owner might notice
> all the 550s in their logs, and wonder what was going wrong.

Or, better, the recipients of the bounce messages can pressure the
smarthost to stop accepting the malware in the first place.


> > In all these cases, an SMTP-time reject seems my most appropriate
> > course.  If you're an unwitting vector for malware, it's your
> > responsibility these days to damned well *get* some wit, and stop
> > being a vector. 
> 
> I too wish people would not let their relays forward viruses.

If that's your wish, then you'll want to identify the people who do
relay them, and ask them not to do so.  When you receive an MTA bounce
message for malware you didn't send, you have identified an MTA that is
not behaving as you wish.

-- 
 \          "It was half way to Rivendell when the drugs began to take |
  `\     hold"  -- Hunter S. Tolkien, _Fear and Loathing in Barad-D�r_ |
_o__)                                                                  |
Ben Finney <ben@benfinney.id.au>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040211/576290d5/attachment.pgp 


More information about the linux-elitists mailing list