From: Noel Jones (njonesmegan.vbhcs.org)
Date: Mon Feb 07 2005 - 12:32:18 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 07, 2005 at 10:16:50AM -0800, Sheldon T. Hall wrote:
> As a preliminary defense against viruses and other malware, I have some body
> and header checks that reject messages with various content types, HTML
> elements, etc. In all cases they REJECT the message. This works fine, in
> that the message containing the crap is immediately rejected and I'm not
> generating any backscatter.
>
> However, I've begun to see a change in the way these messages are presented.
> They used to come directly from an infected PC, but they are now coming from
> real mailservers. Should I continue to reject them, knowing that the
> putative "sender" is probably a forgery, and the mailserver is thus likely
> to "return" the message to some innocent third party?
>

I think the general consensus is that this isn't your problem, you
have done the right thing and have no control over the unsecure mail
server that may eventually generate the backscatter.

Your only other choices are to discard the mail, which is only
suitable on very high confidence tests, or to accept the mail and
either tag+deliver or quarantine.

Not everyone can agree on what is high enough confidence in a test to
discard, so you're on your own there.
And not everyone cares to maintain a quarantine, not everyone cares to
burden their users with likely-bad and possibly dangerous but tagged
mail.

So you get to make your own call on this one.

--
Noel Jones

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]