On Fri, Sep 05, 2003 at 04:37:38PM +0100, Alan J. Flavell wrote:
> Refuse "active" attachments[*] at SMTP time, as a matter of policy:
> don't compose bounces after the event; use a virus scanner too, if you
> want, but don't rely on it as your only defence - that will guarantee
> failure in the window between the virus arriving and the vendor's
> anti-virus template coming out.
>
> Once the offending item has been accepted, it's too late to do a
> proper job of reporting it, in my submission. At best you could
> report it to the registered abuse address for the IP that offered it
> to you.
That's an extremely good reason to do the detection at SMTP time.
Most of the crap that I'm seeing now is from all these people who are
sending bounces because they found a virus "in my mail". It was never
my mail since it never originated from my system.
I'm trying to draw MTA operators attention to this - there are two
issues here:
- you're sending an unsolicited mail to someone who never contacted
you in the first place. How is this any different from receiving
an unwanted spam?
- you could potentially bounce the virus to someone _within_ your
domain behind your firewall.
As an instance of the second, if I were to connect to a MTA and tell
it a message was from joebloggs in its local domain, and that the
message was to joebloggs, and you generate bounces instead of
rejecting at MTA, I've just caused your MTA to bounce the message
to joebloggs, effectively bypassing your virus scanner. Oops.
I don't know many MTAs which refuse mail from their locally configured
domains in mail from: from untrusted hosts. There are some organisations
use this exact method to send you mail (eg, ebay.)
--
Russell King (rmk@???) http://www.arm.linux.org.uk/personal/
Linux kernel maintainer of:
2.6 ARM Linux - http://www.arm.linux.org.uk/
2.6 PCMCIA - http://pcmcia.arm.linux.org.uk/
2.6 Serial core
