Author: Chris Edwards Date: To: exim-users Subject: Re: [Exim] Blocking sobig 'I Blocked sobig' messages
| > Please keep in mind that what you see is the worm connecting to your | > MTA from xxxxxxx.gotadsl.co.uk. It doesn't matter if you reject or
| > discard the message at DATA time, because the worm is unlikely to
| > generate a bounce message to its own forged return address. Or does
| > it? | | Good point. However, if it comes via another MTA, it will cause a bounce
| to be sent to some poor unsuspecting individual who is probably already
| pulling their hair out trying to keep the stuff out of their system...
You're right - a bounce *will* be sent, in this relatively rare case.
However there's an important difference. If you 5xx a virus after DATA
and cause a relaying MTA to bounce then the non-delivery report received
by the innocent bystander will not have YOUR domain as its From: header.
Therefore, when the innocent bystander replies to complain, the complaint
goes not to you, (another innocent bystander). It goes to the postmaster
responsible for the relay MTA - which should have been running Exim + exiscan
and thus not accepted the crap in the first place. Perhaps [s]he will
bother to make some improvements soon!
Also, note that the relay MTA is not an innocent party. It *must* be the
smarthost relay of the ISP hosting the infected customer peecee [1].
Therefore, this ISP *is* in a strong proper position to notify their real
virused customer that they have a problem and hopefully make a difference.
[1] unless the MTA is an open relay. ISTR encoutering viruses (forget
which) that came with a hard-coded list of open-relays to abuse.
Staggeringly, most of those relays were still up+open, despite the viruses
having spread widely. Duh! Clearly, the postmasters of those open relays
deserve everything they get.
--
Chris Edwards, Glasgow University Computing Service