Re: MS mail bombs
Bob McElrath said:
> Jacob Anawalt [email@example.com] wrote:
>> Bob McElrath said:
>> > Jacob Anawalt [firstname.lastname@example.org] wrote:
>> >> I guess that's as effective for reducing the bulk of your inbox as
>> >> sending
>> >> "550 executables not accepted", especially if you don't have control
>> >> over
>> >> the mail server and you match this virus with 100% accuracy.
>> >> Either way, /dev/null or 550 after DATA crlf.crlf you've recieved the
>> >> whole message.
>> > "550 executables not accepted" would obviously be a superior solution.
>> > How do you do it? My google searches and list archive searches turned
>> > up nothing...
>> I use postfix v1.x, so I implement the body_checks regexp method,
>> the MS executable MIME 'fingerprint' mentioned here:
>> It's been a while since I used Sendmail and even when I used I didn't
>> understand most of the settings, but there's got to be something
> Darn, I was hoping (aren't we all) for a way to reject it before the
> whole thing is sent. You know...it wouldn't be hard to scan the input
> for the EXE header and close the connection as soon as it's seen. Then
> you'd only download 1k or so rather than 150k...
While you _could_ do that, and if you _knew_ the mail had been sent
directly from some Windowz end user system and not relayed through a valid
server (I've noticed a couple of "we dropped the virus but sent you the
message anyway" swen messages in my inbox) then I guess that would be just
fine, might as well throw up a firewall rule to block their next attempts
or have your mail server send 550 reject at the next connection.
If it's a real server, I thought that it would just try the connection
again because it didn't get a yes 250 or a no 5xx or even a maybe later
3-4xx, and you might not want to firewall or reject all email from a
mailserver just because one of their users is infected.
Anyone, please correct me if I'm wrong here. Doesn't protocol dictate that
if I accept HELO, MAIL FROM and RCPT TO that I'm suppose to accept the
whole of DATA before I can say 'not ok'. Wouldn't a "connection reset by
peer" just cause the sending server (if it wasn't a dumb virus smtp
session) to resend later?
>> P.S. I notice you use user+debian@. Is this email address only for list
>> traffic? I'm toying w/ the idea of doing that and only accepting email
>> that address that comes from the list. Topic: Anti-Spam ideas for
>> usenet/list harvested email addresses.
> Yes, I'm reciving 80k copies of Swen because of the debian/usenet
> gateway, and one time when I didn't use bob+debian. :(
So none of the email is to bob+debian? Nice to know that Swen writer
didn't try too hard. Maybe others won't and people who can should use +/-
in their email address.
> The "plus" addresses (anything on the right side of the plus, and the
> plus can be a minus too) is RFC compliant and sendmail automatically
> ignores the RHS of the +/-. It's supposed to be "local delivery"
> information -- like which mailbox to put it into. Of course
> email@example.com is not a valid email and that's what most harvesters
> pick up. Occasionally I see attempts in my logs to deliver to such
> addresses. Be aware though that many web-forms out there are broken and
> don't accept the + in an email field. (For which I usually make an
> alias using an underscore)
> Only accepting email that comes from the list to the +debian address
> wouldn't work because of people (like yourself) that reply to my mails.
Hey! I thought I'd been very careful on this thread to only send directly
to the list. I even double checked just now. :P
While I did get your cc'd reply faster than the one you sent to the list,
I would have gotten the one from the list all the same, and your cc'd
reply would have bounced with the error code I suggested in that other
I've got some new (possibly poor) thoughts on how to get people my
directy-response email w/o resorting to typing it into the body of the
mail message in some 'safe' manner, but I wan't to keep it in the
Trying out SquirrelMail