[Exim] FIY: Turn off virus alerts to sender (slightly OT)

Startseite
Nachricht löschen
Nachricht beantworten
Autor: Willie Viljoen
Datum:  
To: exim-users
Betreff: [Exim] FIY: Turn off virus alerts to sender (slightly OT)
This is slightly off topic, as it applies to anybody doing virus checking
and sending alerts to the sender, not just Exim users. I feel I should post
it anyway, in the hope that it helps.

Variants of the MyDoom worm that spread via e-mail seem to be following the
pattern not only to harvest target addresses from mailing lists, infected
address books, etc, but to also harvest addresses for use in forging a
sender address. This is probably a way for the virus to get around callbacks
and other verification procedures, i.e., forging an e-mail from a valid
address in a valid domain.

The problem I wish everyone to take note of is that many content checking
systems which send alerts to the sender, can not distinguish between fake
and real sender addresses. As MyDoom is spreading, we have been getting
several complaints about our servers sending "bogus" virus alerts to users
who are not infected. Thus, our server was sending the virus alert to the
valid addresses that were fraudulently put there by the virus.

There are several reasons why sending these replies to senders is a bad
idea, I won't go into them all as I am sure I don't need to. The basic
symptom of all of them is a mass of collateral spam every time a big worm
breaks loose. So far, I have been unable to convince clients for which I
manage systems that sending these warning messages is a bad idea, however,
with the volume of complaints we have been getting due to MyDoom, the
management have mostly become more sensitive to the problem, and I am happy
to report that none of my clients' server now send these warnings.

If your server is sending such warnings, please disable them, or if it is a
managerial decision, try your best to obtain permission to disable them.
Alternatively, if your content checker supports this, disable the warning
messages only for MyDoom, that will already help to decrease the problems
posed by these reply messages.

I apologise for this not being strictly on topic, but it is posted in the
hope that it will help to curb this problem.

Will

--
Willie Viljoen
Freelance IT Consultant

214 Paul Kruger Avenue
Universitas
9321
South Africa

+27 (51) 522 15 60
+27 (82) 404 03 27

will@???