[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

[Martin Pool]

On 20 Jan 2004, Matthew Hawkins <matt at mh.dropbear.id.au> wrote:
> 
> Martin Pool said:
> > You're the person who saw a mail header and thought lists.samba.org had
> > switched to running on NT, aren't you?  Mm.  Obviously an SMTP expert.
> 
> Sorry, you have me mistaken for someone else.  

http://lists.samba.org/archive/linux/2003-November/008734.html

Your trolling is not welcome here.

> You can forge From: headers as much as you like, bounce messages go to the
> SMTP envelope sender.  At least, on standards-compliant MTA's they do. 
> Forging that is a lot more difficult.  Not impossible of course, but if that's
> where things are right now then we've got bigger problems.  From memory,
> forging SMTP envelope sender addresses involves one of two actions:
> 
> 1) compromising the legitimate mail server(s) for that domain
> 2) utilising an open relay

Many outgoing mail relays will pass all messages as long as they come
from an authorized client, on the inside network.  It's not an open
relay.  When the mail is rejected, they send a bounce to the forged
address.  

The vast majority of corporate and ISP mailservers are configured like
this, and it is not generally a problem except for this case of
viruses.

> Obviously the second is a lot easier, however it is also easily detectable and
> immediately gives away the open relay itself, which is then trivially blocked.
> 
> > I understand that the receiver is not generating a mail.  You seem to
> > fail to understand that it may cause the relay to generate a bounce,
> > and that bounce will almost always be wrong.
> 
> I understand this well.

No, you fail it.

> The relay is an open one, the forged address is likely fake, the
> open relay attempts to deliver mail to bogus addresses...  they
> deserve to have their mail queue clogged in any case.

It is not an open relay.

I don't care if it's clogged.  I care about bounce messages going to
third parties.

-- 
Martin