Klez-G

Jethro R Binks jethro.binks at STRATH.AC.UK
Thu May 9 16:15:58 IST 2002 

On Thu, 9 May 2002, Rose, Bobby wrote:

> But how can the host/ip in the received from header be forged since it's
> being put there by the recipient system?  Also the Message-ID is
> constructed by the recipient system so it would be hard for that to be
> forged as well.  The only problem with the message-id is that it's
> replaced by whatever system picks it up so if it's a relayed message,
> the Message-ID would be for the relayed domain.

Some spammers add fake Received: headers to throw people off the scent.
Although visually it's usually easy to tell them, by doing a consistency
check from one line to the next, doing it programmatically can be tricky.
Probably not impossible, but tricky nonetheless.  It also doesn't help
that Received: headers can vary in format.

> As for nagging the remote postermaster, who here are postmasters and get
> nagged anyway.  Probably everyone.

I wouldn't call that much reason to nag them even more, then, especially
when you can't guarantee that it is even the right person.  As Julian
mentioned, one of the fastest ways to get your email blocked is to send
them a torrent of virus warnings about something they might not even be in
a position to do.

[I currently have Notify Senders enabled, but for some weeks have been
debating the wisdom of this.  The fact that now I can't even guarantee
that the apparent sender of the mail is actually the guilty party is
pushing me to turn this off.  If they are sending loads of the stuff out,
then some other system will sooner or later send them a warning.  It'll
cut down on my support time too]

> The problem doesn't get resolved
> unless someone on the remote end gets involved.

Yes, the user of the machine concerned.  Unfortunately, with the latest
infections faking the sender address, this is now virtually impossible to
determine.  (Having said that, a large proportion of users who get
Mailscanner warnings seem to ignore them or deny the problem anyway, so I
don't think that's being much worse off).

> At least they would
> know the actual sender and contact them.  That's what we've had to do
> here for people dialing into the University dialin pool.  Send it to the
> dialin pool people to look to see who was connected at the time the
> virus was sent so that they can be contacted.  I would assume it should
> be the same process for Comcase or Verizon.

Yes it probably would be the same process.  However, you're relying on the
goodwill of the remote postmaster to (a) care enough to do so, (b) have
the time to do so, and (c) have the ability to do so.  As mentioned
previously by Julian, the postmaster you contact might not have any
connection at a direct level with the (eg) modem pool from which a message
originated.  It is impossible to determine with any reliability the
appropriate address to use.  WHOIS records often aren't accurate enough
either.

Those who submit spam reports to large ISPs will be familiar with the
typical "automated reply" that promises they "will investigate", and that
one may not "receive any further communications regarding the matter.
Who knows if they act on the report half of the time?  If they are having
to deal with torrents of repeated Mailscanner warnings too, they will be
even less inclined to do anything about them, and the software itself may
get a bad reputation as a result.

The proposal pushes the onus of managing the outbreak on the ISPs
concerned.  Although that's arguable the 'correct' thing to do,
practically in the real world you can't expect them to manage that -- for
the most part they don't personally know the people involved and it
wouldn't be worth their while chasing people up, taking on the technical
support burden of dealing with them, and then confirming that the machine
has been cleaned with all the support that entails.  For the most part, as
long as it isn't really affecting 'their' network, they probably don't
much care.  That's not a great attitude to have, but ...

It's slightly different for academic institions, private companies, and
such, of course, but this seems to be the Way It Is for major ISPs -- and
that's where most of the problems originate.

I would like to suggest a rate-limiting feature be introduced, so that
where warning messages are being returned to sender (or apparently
responsible postmaster, per original sender), only a certain number in a
given time period are generated.  This will help with the present
operation of the software, and should some feature as is being discussed
be implemented, it would help to allay huge numbers of reports being sent
to postmasters and just maybe then they might do something about it.  But
I think it a useful feature anyway.

Or perhaps an aggregation of reports to a particular sender (or his
postmaster), so they only get one mail per fer hours or whatever is
appropriate.

Jethro.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks                                   Computing Officer, IT Services
Mailmaster, Listmaster, Webmaster,       University Of Strathclyde, Glasgow, UK
Cachemaster                                           jethro.binks at strath.ac.uk

More information about the MailScanner mailing list