[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

Martin Pool mbp at sourcefrog.net
Tue Jan 20 01:43:47 GMT 2004 

On 20 Jan 2004 "Matthew Hawkins" <matt at mh.dropbear.id.au> wrote:

> During the SMTP transaction, the sender attempting to deliver this
> unwanted mail is given an error code in the 500 range (the exact
> number is configurable since some MTA's don't follow internet
> standards, but it defaults to 550 iirc).  According to the internet
> standard for mail (lets try RFC2821 and RFC2822), this code signifies
> the end of the transaction.  No compliant mail server will attempt to
> continue delivery (though some still try) and there is NO EMAIL
> GENERATED BY THE RECIPIENT SERVER TO ANY ADDRESS WHATSOEVER.  I have
> to spell that out loud since it seems many people just don't get it.

You're the person who saw a mail header and thought lists.samba.org had
switched to running on NT, aren't you?  Mm.  Obviously an SMTP expert.

> It's up to the sending server to deal with the 5xx response it got
> from the recipient server.

And in some cases it does this by sending a bounce message to the
forged address.  Do you want to see the hundreds of such messages
samba.org receives?

I understand that the receiver is not generating a mail.  You seem to
fail to understand that it may cause the relay to generate a bounce,
and that bounce will almost always be wrong.

Now from one point of view the relay should have been smart enough not
to pass the message.  But unfortunately not all outgoing mail relays are
so smart.  As the recipient's administrator you can't control the relay,
but you can stop things getting worse.

The appropriate solution for viruses is to just drop them, e.g. using
Postfix's DISCARD check.

> As Nemo didn't quite mention this, the rule he posted is a body_check
> regexp for the Postfix MTA.  I know, I wrote it ;)  

People like you are making the virus problem worse.  Please stop.

I wish rfc-ignorant.org would add a blacklist for this.

--
Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/linux/attachments/20040120/1d183e55/attachment.bin

More information about the linux mailing list