[67120] in North American Network Operators' Group
Re: antivirus in smtp, good or bad?
daemon@ATHENA.MIT.EDU (Daniel Senie)
Tue Feb 3 09:22:30 2004
Date: Tue, 03 Feb 2004 09:16:44 -0500
To: "Stephen J. Wilcox" <steve@telecomplete.co.uk>
From: Daniel Senie <dts@senie.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.LNX.4.44.0402031353530.1968-100000@server2.tcw.teleco
mplete.net>
Errors-To: owner-nanog-outgoing@merit.edu
At 08:58 AM 2/3/2004, you wrote:
>Hi,
> When investigating our mail queue it seems we have quite a lot of mails
> which
>are stuck in transit...
>
>Whats happening is we're accepting the mail as the primary MX for the
>domain but
>the user has setup a forwarding to another account at another ISP, they have
>antivirus service on that other account. So we get the mail, spool it and
>try to
>forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after
>DATA and our server freezes the mail.
Hmmm, well, we certainly kick back virus-laden stuff this way. The
alternatives are:
1) kick it back during SMTP.
2) drop it on the floor.
or, the third option, which is EXCEEDINGLY BROKEN,
3) send a bounce to the From: address in the email. Because of spoofed
sender addresses, this then goes to the wrong person, freaks out innocent,
non-infected people and raises everyone's support costs.
>Surely this is an incorrect way to do this as there will be lots of
>similar MXs
>like ours backing this mail up? They should accept the mail and then
>bounce it?
Why must systems accept mail that's virus laden or otherwise not desired at
a site?
The "bounce" you refer to invariably ends up going to the wrong person(s),
so that's an exceptionally BAD idea. Many viruses (most of the recent ones)
forge the sender information. So either accepting and silently dropping, or
rejecting the SMTP session with a 55x are the only viable choices.
