Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Phil Mayers p.mayers@imperial.ac.uk
Tue Feb 10 17:50:00 PST 2004


On Wed, Feb 11, 2004 at 12:26:41PM +1100, Martin Pool wrote:
> On 10 Feb 2004, Phil Mayers <p.mayers@imperial.ac.uk> wrote...
> 
> The secret of good comedy is timing.  I just got a false bounce from
> an Exim machine at Imperial College.  Thanks very much.
> 
> Had it done the sensible thing and sequestered/dropped the virus
> email, the volume of crap email would have dropped by one iota.

Grin. In actual fact, you got that from the mail relays at the
*Academic* Department of Computing, which historically has had
doc.ic.ac.uk as a delegation and run entirely themselves, including MX.
They do not partake of the resources that ICT (Computer Support, me)
provide, largely out of independence.

But you're right - that is very funny in the context of the discussion.

Interestingly enough:

1) DoC appear not to be verifying local parts at RCPT time. Hmm. I will
have a word with them about that. Had they done so, the RCPT would have
generated a 5xx and the bounce would have come from Demon.

2) That mail appears to have come from a relay inside Demon (tut tut. I
remember when Demon were a good ISP). You see, if SPF was running on
samba.org and being checked by DoC, that bounce would have come from
Demon, whose *REAL* fault this is, and you would have complained to
someone with more cause to complain to.



However, I should 'fess up in case you *do* see an NDR from us:

1) At the moment, our Exim installation is 3.36, and does not have
"modern" filtering - it's an Exim system filter, which will, sadly,
generate inappropriate bounces. We are in the process of rectifying
that, because it's wrong - I stand by everything I said even in the face
of that, and people would be well within their rights to complain, and I
have responded with apologies when people have pointed out the error of
my ways. Indeed, that humbling experience is largely behind my keenness
for current robustifying technologies for SMTP.

2) Since it's Exim3, with no DATA-time ACLs, even if we *did* have
"modern" MIME-decoding filtering, it would generate bounces not rejects.

So, I apologise for being one of the current crop bouncers. We are
having change control issues, which I know is a lame excuse.

However, DATA-time rejects are what *I* would rather see, and we're a
very high traffic mail site.

Don't you just hate it when you get caught out whilst being righteous...
(hangs head in shame).

> 
> 
> ---------------------------
> From MAILER-DAEMON  Tue Feb 10 23:43:36 2004
> From: Mail Delivery System <Mailer-Daemon@doc.ic.ac.uk>
> Subject: Mail delivery failed: returning message to sender
> Date: Tue, 10 Feb 2004 12:43:33 +0000
> To: mbp@samba.org
> 
> This message was created automatically by mail delivery software.
> 
> A message that you sent could not be delivered to one or more of its
> recipients. This is a permanent error. The following address(es) failed:
> 
>   peter@doc.ic.ac.uk:
>     unknown local-part "peter" in domain "doc.ic.ac.uk"
> 
> ------ This is a copy of the message, including all the headers. ------
> 
> Return-path: <mbp@samba.org>
> Received: from exim by finch.doc.ic.ac.uk with spam-scanned (Exim 3.16 #1)
>         id 1AqXEj-0001rp-00
>         for peter@doc.ic.ac.uk; Tue, 10 Feb 2004 12:43:33 +0000
> Received: from lon1-relay-1.mail.demon.net ([194.217.242.208] helo=relay-1.mail.demon.net)
>         by finch.doc.ic.ac.uk with esmtp (Exim 3.16 #1)
>         id 1AqXEj-0001rm-00
>         for peter@doc.ic.ac.uk; Tue, 10 Feb 2004 12:43:33 +0000
> Received: from [24.199.216.204] (helo=samba.org)
>         by relay-1.mail.demon.net with esmtp id 1AqXEf-0003JV-NJ
>         for peter@doc.ic.ac.uk; Tue, 10 Feb 2004 12:43:31 +0000
> From: mbp@samba.org
> To: peter@doc.ic.ac.uk
> Subject: test
> Date: Tue, 10 Feb 2004 07:42:36 -0500
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
>         boundary="----=_NextPart_000_0007_E59C1852.9F6D2DA5"
> X-Priority: 3
> X-MSMail-Priority: Normal
> Message-Id: <E1AqXEf-0003JV-NJ@relay-1.mail.demon.net>
> X-Spam-Flag: YES
> X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on finch.doc.ic.ac.uk
> X-Spam-Level: ****
> X-Spam-Status: Yes, hits=4.0 required=4.0 tests=MISSING_MIMEOLE,
>         MSGID_FROM_MTA_BACKUP,NO_REAL_NAME,PRIORITY_NO_NAME autolearn=no
>         version=2.63
> X-Spam-Report:
>         *  0.3 NO_REAL_NAME From: does not include a real name
>         *  1.8 MSGID_FROM_MTA_BACKUP Message-Id was added by a relay
>         *  1.2 MISSING_MIMEOLE Message has X-MSMail-Priority, but no X-MimeOLE
>         *  0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer
> 
> This is a multi-part message in MIME format.
> 
> --
> Martin



> _______________________________________________
> linux-elitists 
> http://zgp.org/mailman/listinfo/linux-elitists


-- 

Regards,
Phil

+------------------------------------------+
| Phil Mayers                              |
| Network & Infrastructure Group           |
| Information & Communication Technologies |
| Imperial College                         |
+------------------------------------------+



More information about the linux-elitists mailing list