On 14 Sep 2001, at 10:45, Sterling Hanenkamp wrote:
> The new logging system makes knowing when a sender needs to be
> notified easy, but know who needs to be notified is definitely not
> easy.
Sender notification is not a simple problem. Many forms of malware
do things like trojanize Winsock imposing their own SMTP client,
which *forges* the From: address. In some cases I've been able to
infer a sender by putting together information (by eyeball!) from
Received: and From: headers; in other cases users have been able to
recognize who they communicate with at the domain in a Received:
header and have been able to tell me the right E-mail address to
notify. For critters like Hybris, the best I'm typically able to do
is infer the ISP from the Received: header, send a message to abuse
at the main domain of the ISP, and just *hope* they don't /dev/null
the thing.
Of course this is a horse of a different radish if the main thing
you're trying to accomplish is to notify *your own* users on outbound
mail -- there you've got a lot more information to go on. But even
in that case if they catch something nasty, you could have a hell of
a time knowing who the real sender is.
What *I'd like* is the ability to snag all of the mail headers based
on what happens with various policies. That would save me *lots* of
time.
<opinion>
(Once upon a time I would blow it off whenever my antivirus software
snagged something, but I've learned. It's better to notify senders.
If you don't they'll just send you more junk. Whatever antivirus
warnings go off in the face of your end-user receivers, many users
find this unsettling even though as admin you're tempted to say cool,
the antivirus stuff worked, lookie here. A lot of users either find
it disruptive or quit paying attention to it ...)
</opinion>
--- #include <disclaimer.h> Jim Rosenberg Ross Mould E-mail: 21084@xyz.molar.is