anomy-list

Re: Bounce on Attachment Type

From: Systems Administrator (100246@xyz.molar.is)
Date: Sun 09 Nov 2003 - 22:35:52 GMT

Next message: Dustin Puryear: "The QP encoding issue - again!"

Previous message: Vauseweh, Jan: "may problems with special characters (German Umlaute) in header ' from:'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

On Fri, 7 Nov 2003, Robert de Bath wrote:

>
> On Fri, 7 Nov 2003, Systems Administrator wrote:
>
> > On Fri, 7 Nov 2003, Noel Clarkson wrote:
> >
> > > my advice would be to resist the urge to send anything back to the email
> > > address that the virus came from. I know that it seems like a good idea
>
> > > As someone who's had to deal with some of the cases mentioned above,
> > > please resist the temptation to do what on the surface seems to be a
> > > kind guesture.
> >
> > I think it depends on what point you catch it at. If you find the
> > virus before accepting the message, and send back a "550 attachment has
> > virus", then they only people who should be getting them are admins of
> > open relays, right?
>
> FX: I'll jump in here.

What's FX? :).

> No, sorry, what's likely to happen here is:
> If it's the virus that connected to you it'll immediatly go on to your
> backup MX servers; they'll probably accept the message.
>
> Your backup MX will then try to relay it to you, you reject it again
> with the 550 and _your_ relay server bounces the message to the envelope
> sender.

Hmm. Good point. So you'd have to either junk ones that came
through your backup, or have your backup do virus filtering too (probably
the better solution).

> Even if it's an open relay sending you the message they will bounce it
> to the envelope sender.

Also a good point :). I've had a few users recently who have
gotten viruses that let people spam through them, and I've been getting
bounces, but only because the return addresses didn't exist :).

> The only time it'll help is if all your MX backups are protected and the
> virus is contacting you directly; it won't tell anyone you bounced the
> message though, so it's the same as dropping it.
>
> If your backup MX's aren't protected all you can really do with a virus
> is send it to nobody@localhost.
>
> If they are all protected causing an upstream host to bounce the message
> won't help; however greylisting [1] will probably reduce your bandwidth.

Thanks! Unfortunately, no-one seems to be doing greylisting for
courier-mta, as far as I can see. But that's ok for now -- I have a few
other projects I need to get done before that.

-- 
Tim Nelson
Systems Administrator
Sunet Internet
Tel: +61 3 5241 1155
Fax: +61 3 5241 6187
Web: http://www.sunet.com.au/
Email: 100246@xyz.molar.is

Next message: Dustin Puryear: "The QP encoding issue - again!"
Previous message: Vauseweh, Jan: "may problems with special characters (German Umlaute) in header ' from:'?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

hosted by molar.is