North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless anti-virus products/vendors (was Re: Sober)

  • From: Edward B. Dreger
  • Date: Wed Dec 07 16:36:25 2005

DO> Date: Tue, 6 Dec 2005 16:26:16 -0800
DO> From: Douglas Otis

DO> I know of no cases where a malware related DSN would be generated by our


DO> products, nevertheless, DSNs are not Unsolicited Bulk Email.

Huh?  I get NDRs for mail that "I" sent.  I do not want those NDRs.  I 
did not request those NDRs.  Those NDRs are not in response to a message 
I sent.

I do not want backscatter NDR notices.  I frankly don't care that 
WhizBangAV caught WormOfTheWeek on Susie Smith's corporate mail in 
Argentina from Billy Boo's PC in China... just because my address 
happened to be the subject of a joe jobbing worm.

Really.  Even reading and posting to NANOG is more important. ;-)

DO> Not all email is rejected within the SMTP session.  You are changing
DO> requirements for recipients that scan incoming messages for malware.  Fault
DO> them for returning content or not including a null bounce-address.  No one
DO> can guarantee an email-address within the bounce-address is valid,

Perhaps DSNs should be sent to the original recipient, not the purported 
sender.  RFC-compliant?  No.  Ridiculous?  Less so than pestering a 
random third party.  Let the intended recipient communicate OOB or 
manually if needed.

DO> furthermore a DSN could be desired even for cases where an authorization

When auth fails, one knows *right then* c/o an SMTP reject.  No bounce 
is necessary.

DO> scheme fails.  Why create corner cases?

The corner case is that a virus _might_ actually have a realistic "From" 
address. :-)

DO> DomainKeys and Sender-ID can not validate the bounce-address or the DSN.
DO> Even with an SPF failure, a DSN should still be sent, as SPF fails in

If you receive mail with

	From: <[email protected]>

coming from, and SPF records indicate that IP 
address is bogus, how can you possibly justify "that mail may indeed 
have come from how it's apparently addressed"?  Doubly so when a virus 
is known to spoof "from" addresses!

Saying a DSN should be sent is just untenable.

DO> several scenarios, and false positives are never 0%.  BATV offers a
DO> unilateral option that can effectively discard spoofed bounce-addresses.
DO> When the AV software provides the DSN with a null bounce-address, BATV works
DO> as advertised.

Everquick Internet -
A division of Brotsman & Dreger, Inc. -
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
DO NOT send mail to the following addresses:
[email protected] -*- [email protected] -*- [email protected]
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.