[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

[Matthew Hawkins]

Martin Pool said:
> You want to send bounce messages in response to worms that always
> generate forged addresses?  In other words, where you are guaranteed
> to annoy the wrong person?  Wow.  What's your netblock?

No no no no no NO.

During the SMTP transaction, the sender attempting to deliver this unwanted
mail is given an error code in the 500 range (the exact number is configurable
since some MTA's don't follow internet standards, but it defaults to 550
iirc).  According to the internet standard for mail (lets try RFC2821 and
RFC2822), this code signifies the end of the transaction.  No compliant mail
server will attempt to continue delivery (though some still try) and there is
NO EMAIL GENERATED BY THE RECIPIENT SERVER TO ANY ADDRESS WHATSOEVER.  I have
to spell that out loud since it seems many people just don't get it.  It's up
to the sending server to deal with the 5xx response it got from the recipient
server.

As Nemo didn't quite mention this, the rule he posted is a body_check regexp
for the Postfix MTA.  I know, I wrote it ;)  It's been in place at my
workplace for somewhat longer (in months) than at Goldweb, and the response
from our clients and business partners has been just as positive as Nemo has
experienced.  The rule works in both directions too, some people like to know
they're protected from us as much as we are from them.  And I've found in my
travels that most businesses are implementing identical schemes - it's nice to
know that there's a lot of postmasters out there clued in and proactive about
this kind of thing.

-- 
Matt