[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

Matthew Hawkins matt at mh.dropbear.id.au
Tue Jan 20 02:57:41 GMT 2004

Martin Pool said:
> You're the person who saw a mail header and thought lists.samba.org had
> switched to running on NT, aren't you?  Mm.  Obviously an SMTP expert.

Sorry, you have me mistaken for someone else.  Though I do occasionally suffer
from brain farts while caffeine/sleep deprived, so perhaps there could be some
factual evidence upon which you base this potentially defamatory remark,
however google certainly couldn't find it; and you know what they say, if
google can't find it it doesn't exist ;)

>> It's up to the sending server to deal with the 5xx response it got
>> from the recipient server.
> And in some cases it does this by sending a bounce message to the
> forged address.  Do you want to see the hundreds of such messages
> samba.org receives?

You can forge From: headers as much as you like, bounce messages go to the
SMTP envelope sender.  At least, on standards-compliant MTA's they do. 
Forging that is a lot more difficult.  Not impossible of course, but if that's
where things are right now then we've got bigger problems.  From memory,
forging SMTP envelope sender addresses involves one of two actions:

1) compromising the legitimate mail server(s) for that domain
2) utilising an open relay

Obviously the second is a lot easier, however it is also easily detectable and
immediately gives away the open relay itself, which is then trivially blocked.

> I understand that the receiver is not generating a mail.  You seem to
> fail to understand that it may cause the relay to generate a bounce,
> and that bounce will almost always be wrong.

I understand this well.  The relay is an open one, the forged address is
likely fake, the open relay attempts to deliver mail to bogus addresses...
they deserve to have their mail queue clogged in any case.

> Now from one point of view the relay should have been smart enough not
> to pass the message.

Correct - it should not be misconfigured in the first place permitting open
relaying.  The problem open relaying presents is well known and tangential to
this thread IMO.

> The appropriate solution for viruses is to just drop them, e.g. using
> Postfix's DISCARD check.

But you never know for sure what is a legit virus, which is suspect, and which
is a false alarm.  Dropping mail on the floor is a violation of the internet
standard.  Debasing people for violating best practice while at the same time
violating the written standard yourself is hypocritical.

> People like you are making the virus problem worse.  Please stop.

Please explain.  I completely fail to see how blocking potentially
virus-ridden content from coming in or out of my mail server while
simultaneously providing a simple workaround for legitimate attachments, all
while not violating any internet standard, makes the problem worse.  All the
statistics I have gathered have proven otherwise.

> I wish rfc-ignorant.org would add a blacklist for this.

I seriously doubt rfc-ignorant.org is going to add a blacklist specifically
listing people who are abiding by the RFC for the supposed benefit of those
who are not.


More information about the linux mailing list