anomy-list

Re: Bounce on Attachment Type

From: Systems Administrator (100246@xyz.molar.is)
Date: Sun 09 Nov 2003 - 22:35:52 GMT

  • Next message: Dustin Puryear: "The QP encoding issue - again!"

    On Fri, 7 Nov 2003, Robert de Bath wrote:

    >
    > On Fri, 7 Nov 2003, Systems Administrator wrote:
    >
    > > On Fri, 7 Nov 2003, Noel Clarkson wrote:
    > >
    > > > my advice would be to resist the urge to send anything back to the email
    > > > address that the virus came from. I know that it seems like a good idea
    >
    > > > As someone who's had to deal with some of the cases mentioned above,
    > > > please resist the temptation to do what on the surface seems to be a
    > > > kind guesture.
    > >
    > > I think it depends on what point you catch it at. If you find the
    > > virus before accepting the message, and send back a "550 attachment has
    > > virus", then they only people who should be getting them are admins of
    > > open relays, right?
    >
    > FX: I'll jump in here.

            What's FX? :).

    > No, sorry, what's likely to happen here is:
    > If it's the virus that connected to you it'll immediatly go on to your
    > backup MX servers; they'll probably accept the message.
    >
    > Your backup MX will then try to relay it to you, you reject it again
    > with the 550 and _your_ relay server bounces the message to the envelope
    > sender.

            Hmm. Good point. So you'd have to either junk ones that came
    through your backup, or have your backup do virus filtering too (probably
    the better solution).

    > Even if it's an open relay sending you the message they will bounce it
    > to the envelope sender.

            Also a good point :). I've had a few users recently who have
    gotten viruses that let people spam through them, and I've been getting
    bounces, but only because the return addresses didn't exist :).

    > The only time it'll help is if all your MX backups are protected and the
    > virus is contacting you directly; it won't tell anyone you bounced the
    > message though, so it's the same as dropping it.
    >
    > If your backup MX's aren't protected all you can really do with a virus
    > is send it to nobody@localhost.
    >
    > If they are all protected causing an upstream host to bounce the message
    > won't help; however greylisting [1] will probably reduce your bandwidth.

            Thanks! Unfortunately, no-one seems to be doing greylisting for
    courier-mta, as far as I can see. But that's ok for now -- I have a few
    other projects I need to get done before that.

            :)

    -- 
    Tim Nelson
    Systems Administrator
    Sunet Internet
    Tel: +61 3 5241 1155
    Fax: +61 3 5241 6187
    Web: http://www.sunet.com.au/
    Email: 100246@xyz.molar.is
    



    hosted by molar.is