|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Bankshot backscatter: a philosophical question
From: Sheldon T. Hall (pf
tandem.artell.net)
Date: Mon Feb 07 2005 - 12:16:50 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
As a preliminary defense against viruses and other malware, I have some body
and header checks that reject messages with various content types, HTML
elements, etc. In all cases they REJECT the message. This works fine, in
that the message containing the crap is immediately rejected and I'm not
generating any backscatter.
However, I've begun to see a change in the way these messages are presented.
They used to come directly from an infected PC, but they are now coming from
real mailservers. Should I continue to reject them, knowing that the
putative "sender" is probably a forgery, and the mailserver is thus likely
to "return" the message to some innocent third party?
Here's a log example, with comments...
[Original message presented by a real mailserver, so it gets greylisted...]
Feb 6 12:00:54 6C:tandem postfix_greyd: 8D47BC2D24: adding
62.173.164/someuserrodax.net/aquamantandem.artell.net in 4 minutes for 1
day
[SAV confirms that the sender address is legit...]
Feb 6 12:00:56 6C:tandem postfix/smtp[26367]: DE16CC2D25:
to=<someuserrodax.net>, relay=mail.rodax.net[62.173.164.27], delay=2,
status=deliverable (250 Ok)
[The greylister sends a 450 ...]
Feb 6 12:01:06 6C:tandem postfix/smtpd[26361]: 8D47BC2D24: reject: DATA
from mail.rodax.it[62.173.164.27]: 450 <DATA>: Data command rejected:
Temporarily busy, try again in 4 minutes; from=<someuserrodax.net>
to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>
[The sender's mailserver calls back, and passes the greylister ...]
Feb 6 12:05:43 6C:tandem postfix_greyd: BB0B0C2D24: found
62.173.164/someuserrodax.net/aquamantandem.artell.net DUNNO
[But he's sent me crap, so I reject it... < changed to [ in HTML tag]
Feb 6 12:05:44 6C:tandem postfix/cleanup[26452]: BB0B0C2D24: reject: body
[iframe src=3D"cid:surqcqlrrnoxq" height=3D0 width=3D0> from
mail.rodax.it[62.173.164.27]; from=<someuserrodax.net>
to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>: Unsupported
HTML (rule 5)
[He tries again ...]
Feb 6 12:20:26 6C:tandem postfix_greyd: 855C7C2D24: found
62.173.164/someuserrodax.net/aquamantandem.artell.net DUNNO
[Different crap this time, but it gets rejected, too...]
Feb 6 12:20:28 6C:tandem postfix/cleanup[26589]: 855C7C2D24: reject: header
Content-Type: application/x-msdownload; name="install2.exe" from
mail.rodax.it[62.173.164.27]; from=<someuserrodax.net>
to=<aquamantandem.artell.net> proto=ESMTP helo=<mail.rodax.it>: Disallowed
attachment type. File "install2.exe" has the unacceptable extension "exe" -
Zip it!
Now, I haven't generated any backscatter, but I'm betting mail.rodax.it is
going to send those two rejected messages "back" to someuserrodax.net. I'm
also betting those two messages came from someone else, so
someuserrodax.net is going to be mystified or annoyed, at best. I suppose
he might get _his_ PC infected by the returned messages, depending on what
mail.rodax.net does with them and how someuserrodax.net has his machine set
up.
So ... as a matter of good citizenship, should I be doing something else
with this sort of crap rather than REJECTing it?
Thanks.
-Shel
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]