[PLUG] On the topic of spam & MS-virii

Paul Heinlein heinlein at madboa.com
Fri Feb 6 11:02:02 UTC 2004 

On Fri, 6 Feb 2004, Rich Shepard wrote:

>   I've received quite a few reports in the past week or so that tell
> me a MyDoom-virus infected message was intercepted from me to
> someone I don't know at a domain I didn't know existed. Of course
> the From: address is spoofed but the originating IP address is
> valie.
>
>   Don't any of the automatic spam-checking applications confirm that
> the name/domain matches the IP address? I presume that these
> messages are sent automatically without any human intervention.

Viruses create a whole new class of headaches for admins who want to
honor all the SMTP RFCs *and* keep their systems free of viruses.

In an ideal world, an inbound virus would be detected during the SMTP
transfer phase, and the message would be rejected with a 500-class
error message. (The same ideal would hold true for spam, as well.) In
the case of viruses with their own SMTP agents, like MyDoom and SoBig,
the virus would never be delivered and no one would ever receive a
bounce notice.

Sadly, most viruses are detected after the message has already been
accepted by the MTA (Sendmail, Postfix, etc.). That leaves the admin
on the receiving machine three bad options:

1. Notify the user that a virus has been detected in an inbound
   message and give user the chance to look at it, if need be.

   The thing is that most users don't want such notices; they're a
   nuisance, esp. during a virus storm like the recent MyDoom episode.

2. Notify the sender that the message was undeliverable.

   This is the cause of the spurious notices you (and all the rest of
   us) have received in the mail. It's a useless policy when viruses
   spoof the sending address.

3. Silently drop the infected message.

   A nice idea, except that it violates every RFC concerning the SMTP
   transactions.

Here at work, we're most of the way to the 'ideal world' scenario
listed above, but it's a complex infrastructure to maintain and not
likely to be implemented in most domains for some time, if ever.

--Paul Heinlein <heinlein at madboa.com>

More information about the PLUG mailing list