Author: Alan J. Flavell Date: To: Exim Mailing List Subject: Re: [Exim] What to do with messages that seem to be virus-infected?
On Sat, 6 Mar 2004, Giuliano Gavazzi wrote:
> At 1:26 pm +0100 2004/03/06, Toralf Lund wrote:
> >But, don't virus messages often come from machines that don't have an
> >SMTP server at all, but where the MUA connects to a remote one, possibly
> >at an ISP?
>
> no.
Well, you have a point, but it's not such a clear yes/no answer as you
are claiming.
First of all, many sites will have blocked outgoing port-25 access to
clients which are not bona fide mail servers, in order to prevent
precisely this kind of outgoing direct-to-MX attack in the event of
PeeCees getting virus-infected. Some virus writers have responded by
using the client's normal mail-submission mechanisms, i.e using the
local mail server as a relay. Hopefully the mail admin has understood
a need to scan outgoing as well as incoming mail, or else this
situation is very bad (a mail server that passes all the usual tests
for possible bogosity suddenly starts shipping-out quantities of
virus), as compared with direct-to-MX attacks which usually fail some
simple policy tests (DNSrbl, anomalous HELO domain, etc.) without even
needing to scan their payload.
Now, coming back to the more conventional type of virus, the kind
which does its own direct-to-MX stuff...
Quite a number of big ISPs transparently forward clients' outgoing
port 25 to their own mail servers, where they apply whatever policy
controls they impose. In this case the virus will think it's making a
direct-to-MX connection when in fact it isn't, and (if the ISP hasn't
done their job properly) the final victim will see the virus coming
from what was previously rated to be a bona-fide mail server.
> If you see a virus in action it will usually open lots of
> different connections to the MX of the target addesses.
Yes
> From the point of view of delivery *alone* the virus acts as a small
> SMTP server.
Pedantic remark: it doesn't act as a "server" in the technical sense,
it only acts as a client. It might look to an outsider superficially
like an MTA (loosely known as a "mail server"), but MTAs act sometimes
as server and sometimes as client: this kind of virus only acts as
client.