Sobig.F resurgence

[Kevin Spicer]

On Fri, 2003-09-05 at 21:34, Dustin Baer wrote:


>With all the complaints about how much email traffic is being generated
>by virus scanners (thankfully NOT MailScanner) rejecting the SoBig
>virus

Actually that does affect MailScanner if the mailscanner admin has
notify senders on (default until latest version I think) and has not
added Sobig to the silent viruses list.

>to the spoofed address, why on earth would you want to reject these
>subjects?  You are creating just as much INCORRECT rejection traffic.

The Sobig virus uses its own SMTP engine to send directly to your server
(unless you're using an ISP's server that you have no control over as a
secondary queueing MX and it hits that first).  Therefore rejecting the
message with a 550 error would normally cause the _remote_ MTA to
generate a bounce to the 'sender'.  Since in this case that 'remote MTA'
would be the virus itself it is not going to produce a bounce message,
instead just silently ignore the error.  Therefore (with the exception
of the case mentioned above) the only time this ruleset should cause
someone to receive a bounce from their local MTA is when they have sent
a genuine message which happens to use that subject.  In this scenario I
think it is appropriate to issue a 550 response rather than silently
dropping the mail.




BMRB International
http://www.bmrb.co.uk
+44 (0)20 8566 5000
_________________________________________________________________
This message (and any attachment) is intended only for the
recipient and may contain confidential and/or privileged
material.  If you have received this in error, please contact the
sender and delete this message immediately.  Disclosure, copying
or other action taken in respect of this email or in
reliance on it is prohibited.  BMRB International Limited
accepts no liability in relation to any personal emails, or
content of any email which does not directly relate to our
business.