Re: [anti-spam-wg@localhost] Broken AV software
- Date: Thu, 6 Nov 2003 13:41:06 +0100 (MET)
> [...] since almost all new viruses are using faked sender addresses,
> [automated "you have a virus" bouncing] is becoming a huge problem.
A experienced this effect just a week ago, in a slight variation:
I reconnected my private mailhub at home after a four week hiatus
due to vacations and system upgrade. The initial uucp connect
transferred 100 MB, most of which was:
(A) --> incoming: the original virus mail.
(B) <-- outgoing: a bouncogram, not because I would do virus checking
(no need 'cause I still stick with good old mailx) but
because I am following a draconian extension of
http://homepages.cwi.nl/~piet/mailrestr-en.html
and reject multipart/{mixed,alternative} emails
right within sendmail.
(C) --> incoming:
either a NXUSER bouncogram
or a "you've sent a virus" notification
This totaled in half a meg traffic for every single SWEN email.
(Imagine what would happen if I rejected "multipart/report", too ;-)
My gut feeling is that the double bounces generally violate the
"no errors about errors" principle. With today's amount of
faked senders, I now disabled double bounces on my system.
Am still torn wether I should also switch sendmail's option
-R return Set the amount of the message to be returned if the message
bounces. The return parameter can be `full' to return the
entire message or `hdrs' to return only the headers.
towards the "hdrs" setting. It's OK for spam/virus emails, but since I am
usually harsh enough with my policy to reject HTML emails or attachments,
so I think it's a bit fairer to well-meaning senders who use the "wrong"
packaging to use the "full" setting so they can easily try again.
What I'd love to use would be
-R 10k
I know that some MTAs do such a thing: return the headers and just
the first few lines of the body. Looks quite sensible to me.
Martin Neitzel