North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless anti-virus products/vendors (was Re: Sober)

  • From: Rich Kulawiec
  • Date: Mon Dec 05 20:35:25 2005

On Sun, Dec 04, 2005 at 09:27:58PM -0600, Church, Chuck wrote:
> What about all the viruses out there that don't forge addresses?

Three responses.

First, these are pretty much a minority nowadays: so unless someone
wants to code AV responses on a case-by-case basis, the best default
is "don't respond, ever".

Second, rejecting virus-contaminated traffic during the SMTP phase
completely alleviates the need to address this question, since no
outbound mail is generated.

Third, put the first two points aside.  Let's suppose, for a moment,
that there existed a completely reliable mechanism for figuring out
the real sender (in the sense of "the owner of the infected system")
for a particular virus-contaminated message.

Think about what would happen if the 100 or 1000 or 10000 or 100000
people getting outbound viruses from that user all generated responses.

The first effect would be to double the quantity of useless mail
messages traversing the Internet.

The second effect would be to hammer the user's mailbox and whatever
mail server it happened to be residing on.  (Consider how this effect
would be multiplied if many users of X all had infected systems sending
SMTP traffic directly, but of course were all receiving inbound mail via
X's mail server(s).)

The third effect would really be a non-effect, as the user's most
likely response (thanks to years of conditioning imposed by the
problem we're discussing here) would be to do nothing: experience
has taught users that such warnings are bogus and can safely be ignored.
The user's second-most-likely response would be indignant denial (despite
logs showing positive identification).  The user's third-most-likely
response would be report the responses as spam and/or block the senders.

Bottom line: nothing good can come of generating outbound mail in
response to rejected inbound mail; the best course of action is to
issue the appropriate 5XX response and be done with it.