"OMG YOU SENT TEH VIRUSESS"

Matt Kettler mkettler at EVI-INC.COM
Thu Jun 16 00:30:39 IST 2005


    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Jason Balicki wrote:
> As an update to this, I received a response today.
> 
> Does anyone have any ammo I can use in response to
> this:
> 
> Begin quote:
> As for the virus notifications, as pointless as it may seem to you, it's
> our company policy to attempt to inform possibly infected systems
> (whether they are forged or not) if they have sent us an infected
> message and/or spam.  This company policy has proven effective on many
> occasions over the past 7 years of having internet capable e-mail.  In
> one such case we alerted a very large public safety organization of a
> virus breakout on their network.  
> 
> If our policy is causing grief for your mailing list, let me know which
> software you are using to manage it, I will personally do the research
> to show you how to properly filter out these messages.
> 
> No-where in the RFC for SMTP mail does it cover virus notifications.  In
> fact, the concept of silently deleting messages that could not be
> delivered can be construed as contravening the RFC 1123.  Once an SMTP
> system accepts the message with th 250 (OK) message in response to the
> DATA command, it has the responsibility of delivering the message or
> informing the sender (via return-path or from header).  If you can point
> out a relevant RFC that prohibits these notifications, I will officially
> turn them off.

First, I would be greatly interested to hear if the public safety organization
incident occurred within the past 2 years. It sounds quite typical of something
which might have happened 5 years ago, but not today.

Five years ago, virus notices made sense, as nobody had yet invented the forging
mail worm. Today, nearly all viruses and spam have forged returns.

Bear in mind that when you detect a virus in a message (modern era, not past)
you have proved with a great deal of certainty that the return-path and from are
forged.

Now you must ask yourself, is it within the spirit of the RFCs to generate
failure notices directed to addresses which are known to not be the source of
the email?

I would suggest a read of RFC 3884 for some general RFC level discussion of this
topic. This RFC makes general recommendations for any autoresoponder, including
virus scanners. Section 2 is highly worthwhile reading.

http://www.faqs.org/rfcs/rfc3834.html


Although your behavior is not outright prohibited by this RFC, the RFC does
suggest in section 2 that responders should avoid responding to messages which
appear malformed, and should take measures to avoid responding to forgeries and
other activities that allow it to be abused.

As for RFC 1123, RFC 3834 clearly condones discarding normal responses when a
responder has good reason to believe the response will be misdirected.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!




More information about the MailScanner mailing list