[87209] in North American Network Operators' Group
Re: SMTP store and forward requires DSN for integrity (was Re:Clueless anti-virus )
daemon@ATHENA.MIT.EDU (Micheal Patterson)
Fri Dec 9 17:54:59 2005
From: "Micheal Patterson" <micheal@tsgincorporated.com>
To: "Douglas Otis" <dotis@mail-abuse.org>,
"Todd Vierling" <tv@duh.org>
Cc: "Steven J. Sobol" <sjsobol@JustThe.net>,
"Geo." <geoincidents@nls.net>, <nanog@merit.edu>
Date: Fri, 9 Dec 2005 16:54:26 -0600
Errors-To: owner-nanog@merit.edu
----- Original Message -----
From: "Micheal Patterson" <micheal@tsgincorporated.com>
To: "Douglas Otis" <dotis@mail-abuse.org>; "Todd Vierling" <tv@duh.org>
Cc: "Steven J. Sobol" <sjsobol@JustThe.net>; "Geo." <geoincidents@nls.net>;
<nanog@merit.edu>
Sent: Friday, December 09, 2005 4:01 PM
Subject: Re: SMTP store and forward requires DSN for integrity (was
Re:Clueless anti-virus )
>
>
>
> ----- Original Message -----
> From: "Douglas Otis" <dotis@mail-abuse.org>
> To: "Todd Vierling" <tv@duh.org>
> Cc: "Steven J. Sobol" <sjsobol@JustThe.net>; "Geo."
> <geoincidents@nls.net>; <nanog@merit.edu>
> Sent: Friday, December 09, 2005 1:58 PM
> Subject: Re: SMTP store and forward requires DSN for integrity (was
> Re:Clueless anti-virus )
>
>
>>
>>
>> On Dec 9, 2005, at 10:15 AM, Todd Vierling wrote:
>>>
>>> 1. Virus "warnings" to forged addresses are UBE, by definition.
>>
>> This definition would be making at least two of the following
>> assumptions:
>>
>> 1) Malware detection has a 0% false positive.
>> 2) Lack of DSN for email falsely detected containing malware is okay.
>> 3) Purported malware should be assumed to use a forged return-path.
>> 4) The return-path can be validated prior to accepting a message.
>> 5) SMTP should appear to be point-to-point.
>> 6) MTAs with AV filters are the only problem.
>
> Case in point Doug.. Current versions of Sober.U are sending mail from:
> ?@c-24-19-xx-xx.hsd1.wa.comcast.net (xx's to hide the actual host).
> I have a slew of these in my detected malware folder. I suppose that you'd
> prefer, by your reasoning, that I be sending DSN's to these addresses,
> knowing full well that it won't make it and just clutter up comcast's smtp
> gateway with DSN's. I'm sure that they'd like that very much.
>
> Mike P.
And before anyone points out that the mx for comcast would not see that
message, I know that on this particular host, they would not. I also realize
the the DSN would sit in my outbound queue until it was purged after 5 days
due to non-delivery. The point remains the same for this example as if it
were addresses from hostmaster?@comcast.net or ?@comcast.net. The originator
is forged and the DSN is unable to get to the originating sender.
Mike P.
