[clug] [AUSCERT ALERT - Email worm W32.Beagle.A/Win32.Bagle.A]

Paul Hampson Paul.Hampson at anu.edu.au
Tue Jan 20 12:14:26 GMT 2004

On Tue, Jan 20, 2004 at 04:32:34PM +1100, Matthew Hawkins wrote:
> Martin Pool said:
> > It's not my relay.  It is the outgoing relay of the person infected
> > with the virus.  I have no control over it.  Neither do you.  Please try
> > to understand.  The only way to stop it generating wild bounces is to
> > not reject viruses.
> Okay.  If the mail is coming from an *authorized client* ie, they have passed
> some kind of SMTP AUTH or POP-before-SMTP or client check rules etc, then the
> SMTP envelope sender will be the address of that authorized client, the bounce
> generated goes to that address, and why the hell do you give a damn?  This is
> the way its meant to work!  At what point does this bounce ever become *your*
> problem?  It's generated by the remote server and delivered to the remote
> user, and at no point involves your mail server at all!  This addresses the
> scenario you spoke of, but lets explore the others.

What about when the client is being authorized by IP address? eg.
dialled in on the ISP's subnet, talking to the ISP's mail server.

Then they're an authorized client, but the SMTP envelope address will
still be freely chosen... and bounces can still be sent all over the

To my mind, a better solution is employed by amavisd which has a list of
viruses that fake FROM headers, and doesn't send back bounces to those,
silently discarding them instead (or passing them on, depending on the
setup of amavisd)

The disadvantages are that both amavisd and the virus scanner need to be
kept uptodate, and (at least the way I've managed to set it up, albeit
not in the wild yet) it happens after the SMTP server accepts the mail
from the remote machine, so it can't send back an SMTP error of its own,
it has to generate bounces or not as the case may be.

If I didn't already have postfix in production, I'd have considered exim
and exim-(Bah, can't remember the program) which filters in front of
exim, apparently neater than amavisd does. In all other cases, I prefer
postfix, simply because I have managed to get it working. :-)

Paul "TBBle" Hampson, MCSE
6th year CompSci/Asian Studies student, ANU
The Boss, Bubblesworth Pty Ltd (ABN: 51 095 284 361)
Paul.Hampson at Anu.edu.au

"No survivors? Then where do the stories come from I wonder?"
-- Capt. Jack Sparrow, "Pirates of the Caribbean"

This email is licensed to the recipient for non-commercial
use, duplication and distribution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20040120/1f4788f9/attachment.bin

More information about the linux mailing list