On Fri, 7 Nov 2003, Robert de Bath wrote:
> On Fri, 7 Nov 2003, Systems Administrator wrote:
> > On Fri, 7 Nov 2003, Noel Clarkson wrote:
> > > my advice would be to resist the urge to send anything back to the email
> > > address that the virus came from. I know that it seems like a good idea
> > > As someone who's had to deal with some of the cases mentioned above,
> > > please resist the temptation to do what on the surface seems to be a
> > > kind guesture.
> > I think it depends on what point you catch it at. If you find the
> > virus before accepting the message, and send back a "550 attachment has
> > virus", then they only people who should be getting them are admins of
> > open relays, right?
> FX: I'll jump in here.
What's FX? :).
> No, sorry, what's likely to happen here is:
> If it's the virus that connected to you it'll immediatly go on to your
> backup MX servers; they'll probably accept the message.
> Your backup MX will then try to relay it to you, you reject it again
> with the 550 and _your_ relay server bounces the message to the envelope
Hmm. Good point. So you'd have to either junk ones that came
through your backup, or have your backup do virus filtering too (probably
the better solution).
> Even if it's an open relay sending you the message they will bounce it
> to the envelope sender.
Also a good point :). I've had a few users recently who have
gotten viruses that let people spam through them, and I've been getting
bounces, but only because the return addresses didn't exist :).
> The only time it'll help is if all your MX backups are protected and the
> virus is contacting you directly; it won't tell anyone you bounced the
> message though, so it's the same as dropping it.
> If your backup MX's aren't protected all you can really do with a virus
> is send it to nobody@localhost.
> If they are all protected causing an upstream host to bounce the message
> won't help; however greylisting  will probably reduce your bandwidth.
Thanks! Unfortunately, no-one seems to be doing greylisting for
courier-mta, as far as I can see. But that's ok for now -- I have a few
other projects I need to get done before that.
-- Tim Nelson Systems Administrator Sunet Internet Tel: +61 3 5241 1155 Fax: +61 3 5241 6187 Web: http://www.sunet.com.au/ Email: firstname.lastname@example.org