[linux-elitists] Re: Postfix anti-antivirs

Martin Pool mbp@samba.org
Tue Feb 10 18:15:40 PST 2004


On 11 Feb 2004, Phil Mayers <p.mayers@imperial.ac.uk> wrote:
> On Wed, Feb 11, 2004 at 10:54:48AM +1100, Martin Pool wrote:

> So *I* am supposed to absorb the spam to help forged@example.com. I
> believe in teaching a man to fish, personally...

example.com never did anything to you.  He doesn't have a virus, he
has virus filters on his mail server, he has SPF records and maybe he
spends his evenings working on anti-spam projects.  So why are you (at
one level of indirection) causing crap to flow to him?

> By your argument, I should stand by quietly while people hurl verbal
> abuse at me in a crowd, because if they're shouting at me, well, the
> other people are not being shouted at, so that makes me a good citizen?

Sorry, I don't understand the analogy. 

If somebody yells "Martin says you suck" at you, why do you turn
around and yell at me?  Well, I can see why there would be that
emotional reaction, but I am trying to point out that it is nether
polite nor helpful.  Lart the party of the first part instead.

> 1) SPF - so I know the host sending me the mail has a valid, presumably
> authenticated return path to the real sender.

OK, once everyone has SPF that will be great.  Shall we pencil that in
for 2007?

> 2) Content policy - so, lets say someone is sending a researcher at my
> site a virus for genuine academic work. They're doing it from an
> SPF-enabled site. They will thus see my error message (whereas in your
> case, it'd get silently dropped), and can take action e.g. encrypt the
> file, put the .doc inside a .zip, change the subject like to make it
> look less like spam

Tell me, what fraction of virus attachments do you think are
intentionally sent by virus researchers?  Maybe 1e-12?  Is it worth
optimizing for this case?

Anyone who sends a virus as a plain attachment is not a serious
researcher.  Putting it in a password-protected zip is as much
standard practice as not leaving sandwiches on the P3 lab bench.

> 1) spf.rfcignorant.org

That would be great as a +1 spamassassin score, but we're not there
yet.

> If it comes up positive, run the NDR through a SpamAssasin check for
> this specific thing (try, for example, to find the message-id in the
> mail being NDRed, and check your records for the last 72 hours) and give
> it a spam score and act accordingly.

Note that because of widespread broken MTAs it's hard to reliably
detect NDRs.

> > It is no good to say "people should fix their mailservers".  They
> > should, but they won't.  People shouldn't run random executables, or
> > dodgy operating systems.  The fact is they do; we need to deal with it
> > as it is.
> 
> Hmm. If, as computer professionals, we cannot provide a system which is
> reasonably safe to use, we're at least partially to blame for the
> problems that result. It's no good saying "well, SMTP is just shit and
> we have to accept that" (it's true). We should attempt to fix it.

I agree.

My point is, at the moment, in the real world, people are carrying
boxes of grenades (or at least firecrackers) around.  When one lands
in your TCP stack, the responsible and sane reponse is *not* to throw
it off in some other direction, but rather to drop it in a bucket of
water (or whatever you do with grenades.)

> > And (almost) every time, an extra junk message.  Thanks very much.
> > Why bother putting in so much effort to clever MAC tracking when
> > you're doubling the amount of junk email?
> 
> There will inevitably be a changeover period where this causes slightly
> more rejection traffic.

Where "slightly more" is over a hundred per month for me, yeah.  If it
were five, I would not care.  But it is getting to be more of a
problem than the worms themselves.

> That should only encourage people to make their domain Joe Job
> proof.

There is no way I can do that at the moment.  Publishing SPF will not
stop any of these rejections.

The hosts which are forwarding malware plainly have the most clueless
admins, and so they will be the last to use SPF.  Probably they only
will when they're forced by an RBL, and *that* will only happen when
the rest of us have got it going.  So three years at least.

> I'm sorry, I am not willing to put up with the current level
> of spam.

By all means work on SPF and encourage adoption and graylist people
who won't use it.  Just please, in the meantime, don't give SMTP
rejections for known-to-be-forged mail.

-- 
Martin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20040211/0942f54e/attachment.pgp 


More information about the linux-elitists mailing list