Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Martin Pool mbp@samba.org
Tue Feb 10 17:44:17 PST 2004


On 10 Feb 2004, Gerald Oskoboiny <gerald@impressive.net> wrote:

> > You're talking about filtering mail coming into the smarthost.  That's
> > fine.  The problem is filtering mail coming into the destination.
> > 
> > 
> >     Client ---> Smarthost ---> Destination
> >                      |
> >                      |
> >                      v
> >                 example.com
> > 
> > In this diagram, the Client has a virus infection.  The smarthost is
> > run by their ISP/company/whatever, and has a pretty dumb admin who has
> > not put in place the filters you describe, so it just passes viruses.
> > The destination is us.
> 
> In a world with SPF, the Smarthost above can check to see if
> Client is authorized to send mail on behalf of example.com.
> If not, Smarthost should reject it during its initial SMTP
> chat with Client.

Yes, SPF is cool, and cryptographically verified mail is cool too.
They'd help prevent forgeries, which would help with malware and spam.

At the moment I am not concerned with whether SPF will be common in a
couple of years time.  I just want Novarg to cause a bit less knock-on
damage right now.

In fact, Smarthost doesn't need SPF to fix this: all it needs is to
check that it only allows outgoing messages with valid sender
addresses, according to either SMTP AUTH or some other mechanism.
Just checking the envelope sender domain would be a start.

> But I'd like to get to a place where email doesn't have to be
> silently discarded any more, so it might be good to send a few
> rejections here and there with an extra little note saying
> "forgery victim? see http://spf.pobox.com/ " to spread the word.

As you say, adopting SPF is not likely to directly help poor
example.com in this particular case.

Probably a better way to persuade Smarthost to sober up is to have an
RBL of hosts that are too lax in passing mail.  This was pretty
effective in eventually stopping open relaying a few years ago.

By the way, I'm not in favour of silently dropping things that "look
like spam", or have HTML attachments -- there is too much chance of
false positives.  But in 2004 there is zero chance that an EXE
attachment is anything but a virus.  My grandmother knows that.

I'm not sure, but I think silent absorption is the only sensible
response to some attacks.  How many of you strictly comply with the
way IP routing was originally meant to work, and how many have
firewalls that just log&drop evil packets?

-- 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040211/c7c1b63e/attachment.pgp 


More information about the linux-elitists mailing list