North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: SMTP store and forward requires DSN for integrity (wasRe:Clueless anti-virus )

  • From: Douglas Otis
  • Date: Sat Dec 10 11:24:41 2005 
On Sat, 2005-12-10 at 15:40 +0100, JP Velders wrote:

> *any* anti-virus vendor has not only signatures of a specific virus 
> but also a good understanding of what the virus does and how it 
> spreads. If the vendor doesn't, well, they'd better retire from the AV 
> business, because as a vendor they should be able to tell me that.
> (you know, me customer, you vendor, I give money for features I want)

With the high prevalence of viruses having a forged return-path, the
concern is largely about _false_ detections.  These are not actual
numbers, but perhaps more realistic than figures suggested previously.
Imagine the false positive error rate for an email AV filter runs about
1 in 1000 malwares.  While indeed this may not be a tragedy having a few
valid emails lost without notice in an AV effort, this loss is not
required when "valid" DSN recognition is deployed.  

The AV filter then bounce technique has been used for many years, where
DSNs must be filtered at the DSN recipient.  Rather than seemingly
fruitless complaining, automate this process to refuse invalid DSNs
before the data phase, and prevent the DoS effects.  This automation
will also recover the valid 1 in 1000 DSNs.  This BATV automation would
also ensure no DSNs with forged return-paths, created at any point where
acceptance criteria differs between MTAs, will be accepted before the
data phase.  BATV should be almost as effective as a DNS-BL.  You can
even use automate BATV refusals by others to add to your own temp BL.


> Now viruses aren't the only scourge, I know, but the AV vendors are 
> hard underway to destroy e-mail as a communications tool, where 
> previously this was the doing of Spammers. I don't think any AV vendor 
> would consider themselves more "evil" then Spammers, Phishers or 
> scriptkiddies, but they will be if they don't act more responsibly.

Consider forged DSN automated detection before data phase as an
opportunity to improve upon the integrity of email delivery, while also
preventing the DoS situation.  BATV can be implemented where the
implementer sees the benefits immediately.  When widely deployed, the
back-scatter problem dissolves, as forged DSNs will not serve as an
exploit, but rather acts as a trap.  Once again valid DSNs regain their
rightful respectability as needed in any store and forward system.

-Doug