Re: [Exim] Attachments and bounce messages

On Fri, 5 Sep 2003, Philip Hazel wrote:

> > Could you explain the context in which this problem surfaces?
>
> Simple. A virus that *isn't* rejected at SMTP time! Not everybody has
> got virus scanning enabled.

Right; but in the present state of the mail system, you really
shouldn't accept it until you've basically decided you're going to
deliver it. And this Sobig thing has amply demonstrated that
principle.

Once you've accepted it, it seems to me, it's too late to go back on
that and compose a bounce to the apparent (frequently counterfeited)
sender (at least as a matter of normal operating policy - I appreciate
that occasional anomalies might have to be handled in the old way).

That goes for spam just as much as it goes for the current crop of
viruses. We've had just too many cases in the past where the spammer
put the address of the intended victim into the envelope-sender. The
old procedure may have worked fine in the days where the network users
were basically well-intentioned, but it's different now, in a big way.


It's my hunch that when a balance is drawn from this present
emergency, mail admins will be much more reluctant to accept /any/
kind of unauthenticated SMTP transaction from random IP addresses that
don't seem to be properly set up to operate an MTA service. I see
that many of the sources of Sobig aimed at us were rejected by our
configuration because their IP was blacklisted as spam-happy dialups
etc., before we even got to the point of spotting the virus (it's
obvious from eyeballing the log entries that it was a Sobig attack,
but exim had already sent them packing on another criterion).

That line of defence would be much strengthened if the majority of
MTAs refused mail from IPs which didn't look-up in the DNS, didn't
have co-ordinated MX records, and so on.

cheers