Re: [Exim] MyDoom filtering?

On Fri, 30 Jan 2004, David Woodhouse wrote:

| On Fri, 2004-01-30 at 20:30 +0100, Giuliano Gavazzi wrote:
| > why would his deny cause bounces? They are sent by a virus and the
| > virus is certainly not going to create a bounce!
|
| The ones with Message-ID have probably gone through an intermediate
| server -- possibly an MX backup on the receiving side, or an outgoing
| smarthost on the sending side. That intermediate box could send a
| bounce.

Hi,

There too aren't many of those.

We always use deny - so any bona-fide sender knows there's a problem hence
preserving the reliable transport nature of email. As far as we can tell,
this policy is *NOT* what's responsible for the flood of bogus virus
alerts (BVAs).

Its worthwhile thinking through the relevant scenario.

If you 5xx a virus after DATA and cause a relaying MTA to bounce, then the
non-delivery report received by the innocent bystander will at least not
have your name on it (ie. not come from your system.)

Then, when the innocent bystander replies to complain, the complaint goes
not to you, (another innocent bystander). Instead, it goes to the
postmaster responsible for the relay MTA - which should of course have
been running decent filtering and thus not transmitted the malware in the
first place. Perhaps he or she will get off their backside and make some
improvements soon!

ALSO, note that to due basic relay restrictions, the relaying MTA here is
not an innocent party for another reason - it *must* be the smarthost of
the ISP providing network service to the infected PC. Therefore, this ISP
*is* in a strong position to do their duty and take action to deal with
the actual compromised customer.

Put another way, we don't send BVAs ourselves. But we aren't keen to
compromise our own service to help out those who do send the things.

Cheers

--
Chris Edwards, Glasgow University Computing Service