sweintz
Premium
join:2002-03-01
Hamden, CT
| reply to NormanS
Re: SORBS got my buddy
Norman-
Your points are correct, but do not address the issue I mentioned, which seems to be responsible for most of the backscatter I see the servers at $dayjob getting hit with - virus infected machines sending via their ISP's mail server with forged from and return path. The ISP's own user is the one sending the mail (although inadvertently). The forged address is one of the users in oir domain. The ISP's server get's a 550 when it tries to deliver the mail, and then sends the bounce to our server.
Very bad, IMO. When I get these, I complain to the ISP. MOST ISP's do not want to acknowledge this is a problem at all.
When I get a "it's not our problem" response, I gladly post the offending backscatter on news.admin.net-abuse.sightings, and also report it to SpamCop. If they get blacklisted because of this, well... that's not MY problem... |
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
 ·Pacific Bell - SBC
| Viral backscatter is a completely different issue from NDRs. Because no contemporary virus identifies the sending computer accurately, no server AV scanner should be sending notifies of viral infections. It is entirely possible to configure the MTA so that it sends NDRs to an authorized Return-Path address, but bins viral messages without sending notifies.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
sweintz
Premium
join:2002-03-01
Hamden, CT
|
ER... No.
What I am talking about is not exactly viral backscatter.
What you mention is bad, and is a problem, but not as bad I what I am talking about.
What I am whining about is this:
ISP customer has a virus infected machine that tries to send a virus out via the ISP's mail server. The virus mail gets 550'ed on the receiving end (for whatever reason the receiving MTA refuses it -- perhaps it has a virus scanner that runs after the data command is issued but before the mail is queued, or perhaps a blocklist is used, or perhaps some other filtering - doesn't matter why, point is it gets a 550 error). ISP mail server sees the 550, and since it now knows it cannot deliver the email, it sends a NDR to the sender. Problem is the virus forges the sender envelope and header, so the NDR goes to some innocent 3rd party.
|
|
NormanS
Premium,MVM
join:2001-02-14
San Jose, CA
·Pacific Bell - SBC
| I haven't seen a lot of evidence of that happening. That could be mitigated by requiring message submissions to be authenticated. It would force the virus to use the user's mail client instead of its own SMTP relaying client.
--
Norman
~Oh Lord, why have you come
~To Konnyu, with the Lion and the Drum |
|
