Postfix anti-antivirus (was Re: [linux-elitists] procmail recipe for mydoom?)

Jeff Waugh jdub@perkypants.org
Tue Feb 10 18:52:31 PST 2004


<quote who="Ben Finney">

> > >   - accepts the malware for delivery to a third person
> > >   - tries to deliver it to the destination, which rejects it
> > >   - sends a bounce message to the forged sender address
> > 
> > Meanwhile, there's shrapnel in *everyone's* butt.
> 
> Not at all.  The destination has no shrapnel, since they rejected the
> message.  That's a solution that scales:  every MTA that rejects it is
> one less MTA acting as a vector for the shrapnel.

No, every MTA that rejects forged worms is contributing to the mess. You're
actually talking about two orthogonal points here: Sure, I totally agree
that if every MTA rejected malware, we would be in a wonderful, blissful
state of joy. But the reality is that they don't, and you can guarantee that
matched, modern worms forge their sender envelope and address. So rejecting
them *HAS NO PURPOSE* at all. None. You are not achieving a single thing by
rejecting mail such as this. *NOTHING*.

So, in my MTA, when I have a body_check [1] that matches a worm, I discard
the mail. I can't do anything sensible with it, unless I parse my logs for
the source IPs of those emails, and alert their postmaster.

There have been times in this conversation when various people have been
confusing spam, forging worms and general virus muck. There are lots of
different perspectives on all of these, but it seems that people who
actively believe that rejecting forged mail makes sense are doing so more
out of "eye for an eye" than any other reason... "Well, it's their fault
anyway, so they should clean my mess up too!" This is just childish.

- Jeff

[1] An internal MTA feature.

-- 
GVADEC 2004: Kristiansand, Norway                    http://2004.guadec.org/
 
   You know the end is nigh when modern art is relegated to the status of
                                  "meme".



More information about the linux-elitists mailing list