From: Craig Sanders (castaz.net.au)
Date: Wed Sep 24 2003 - 19:54:43 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 20, 2003 at 09:52:10AM -0400, Victor Duchovni wrote:
> Reject (however tempting) is a disservice to the Internet community. While
> protecting each recipient, it puts all of us collectively at risk
> of a much harder to prevent DDoS via sender forgery.

while i agree with you on general principles (that DISCARDing mail containing
specific mal-ware signatures is the Right Thing to do), i think you're
over-estimating the effects of REJECT.

most worms propagate by opening direct smtp connections themselves. most of
them do not use a real MTA as a relay. this may change in future, but for now
what that means is that the worm itself gets the 5xx REJECT code...and promptly
ignores it and moves on to the next victim address. very few worms (none to my
knowledge) have any bounce-handling code.

i suspect that this will remain the case for a long time to come. there is no
compelling reason for a virus/worm author to implement a bounce handler, it
just increases the payload size and complexity of the program for no "benefit".

even if the worm uses outlook or eudora (or whatever) to propagate, or look for
a local MTA to relay through, that will be self-defeating because they are then
subject to any anti-virus mechanisms in that relay host and are far more likely
to be noticed by the ISP (resulting in account suspension or just blocking the
virus). IMO, it would be a *good* thing if worm/virus authors were dumb enough
to do this - it would make it much easier to control the spread of mal-ware.

OTOH, AV-scanners that send virus-alert notifications back to the forged sender
address are evil and ought to be banned. they are a real and significant
problem. ditto for TMDA-style anti-spam systems.

craig

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]