Re: Custom issues

From: Jim Rosenberg (
Date: Fri 14 Sep 2001 - 17:39:44 UTC

  • Next message: Jim Rosenberg: "1.35 -> 1.43: Overlooking Something Obvious ..."

    On 14 Sep 2001, at 10:45, Sterling Hanenkamp wrote:

    > The new logging system makes knowing when a sender needs to be
    > notified easy, but know who needs to be notified is definitely not
    > easy.

    Sender notification is not a simple problem. Many forms of malware
    do things like trojanize Winsock imposing their own SMTP client,
    which *forges* the From: address. In some cases I've been able to
    infer a sender by putting together information (by eyeball!) from
    Received: and From: headers; in other cases users have been able to
    recognize who they communicate with at the domain in a Received:
    header and have been able to tell me the right E-mail address to
    notify. For critters like Hybris, the best I'm typically able to do
    is infer the ISP from the Received: header, send a message to abuse
    at the main domain of the ISP, and just *hope* they don't /dev/null
    the thing.

    Of course this is a horse of a different radish if the main thing
    you're trying to accomplish is to notify *your own* users on outbound
    mail -- there you've got a lot more information to go on. But even
    in that case if they catch something nasty, you could have a hell of
    a time knowing who the real sender is.

    What *I'd like* is the ability to snag all of the mail headers based
    on what happens with various policies. That would save me *lots* of

    (Once upon a time I would blow it off whenever my antivirus software
    snagged something, but I've learned. It's better to notify senders.
    If you don't they'll just send you more junk. Whatever antivirus
    warnings go off in the face of your end-user receivers, many users
    find this unsettling even though as admin you're tempted to say cool,
    the antivirus stuff worked, lookie here. A lot of users either find
    it disruptive or quit paying attention to it ...)

    #include <disclaimer.h>
    Jim Rosenberg
    Ross Mould

    hosted by