Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Gerald Oskoboiny gerald@impressive.net
Tue Feb 10 17:31:30 PST 2004


* Martin Pool <mbp@samba.org> [2004-02-11 10:54+1100]
> On 10 Feb 2004, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
> > On Tue, Feb 10, 2004 at 06:20:52PM +1100, Martin Pool wrote:

> > > OK, but there is another case you're not considering: sending a reject
> > > causes the smarthost to generate a bounce.  That bounce will *always*
> > > go to the wrong address.
> >
> > No, it goes as a 550 at the end of the DATA connection, so by definition
> > goes to the right person.
> 
> You're talking about filtering mail coming into the smarthost.  That's
> fine.  The problem is filtering mail coming into the destination.
> 
> 
>     Client ---> Smarthost ---> Destination
>                      |
>                      |
>                      v
>                 example.com
> 
> In this diagram, the Client has a virus infection.  The smarthost is
> run by their ISP/company/whatever, and has a pretty dumb admin who has
> not put in place the filters you describe, so it just passes viruses.
> The destination is us.

In a world with SPF, the Smarthost above can check to see if
Client is authorized to send mail on behalf of example.com.
If not, Smarthost should reject it during its initial SMTP
chat with Client.

If Smarthost doesn't do this and passes it on to Destination,
and Destination rejects it instead of discarding it, both
Smarthost and example.com have been given extra incentive
to deploy SPF on their sites, and everybody wins!

If example.com has deployed SPF and Smarthost hasn't, example.com
can bug the admins of Smarthost to get with the program.

Of course, SPF deployment is just beginning, so it's probably
inconsiderate to burden example.com with all those extra bounces,
which is why I'm still discarding thousands of Mydooms instead
of rejecting them.

But I'd like to get to a place where email doesn't have to be
silently discarded any more, so it might be good to send a few
rejections here and there with an extra little note saying
"forgery victim? see http://spf.pobox.com/ " to spread the word.

-- 
Gerald Oskoboiny <gerald@impressive.net>
http://impressive.net/people/gerald/



More information about the linux-elitists mailing list