ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

bouncetwo: was Re: [Asrg] DSN generation and handling

2006-12-08 11:40:18
from [Tom Petch] [Permanent Link] 
----- Original Message -----
From: "John Levine" <asrg(_at_)johnlevine(_dot_)com>
To: <asrg(_at_)ietf(_dot_)org>
Cc: <hjp-asrg(_at_)hjp(_dot_)at>
Sent: Sunday, September 03, 2006 6:02 PM
Subject: Re: [Asrg] DSN generation and handling



An interesting topic.  I've seen a fair amount of discussion but nothing
approaching research.


* What format are DSN messages generated in? Do they conform to
 RFC 3464? Do they contain all relevant information? Is it presented in
 a human (user) readable manner?
 Do they contain the complete undelivered message or just part of it?




A bit more research like.

For details of the principles on which this analysis is based, see the companion
e-mail with a "Subject:" of 'bounceone'

This e-mail contains the analysis of 400 bounce (Delivery Status Notification)
messages received by a single e-mail address between 20 June and 9 October 2006.
In the same timeframe, the e-mail address itself received approximately 5430
messages containing the MyDoom worm with a forged "Return-Path" together with a
somewhat smaller number of similar messages carrying screen savers and such
like; in a very few cases (less than 10), the worm had been removed in transit
by an MTA.

Bounce messages were received from the following software.  The number in
(parentheses) is the number of messages received.

[7.2.0] (2)
8.12.8 (52)
Active Spam Killer (1)
[AIMC] (1)
BitDefender (1)
blueyonder (3)
ClamAV (4)
CommuniGate Pro (23)
ConcentricHost MX (1)
CoreMail (1)
exim (17)
ezmlm (2)
[Intermail] (3)
[Internet Mail Service] (5)
[iPlanet Messaging Server] (4)
Kaspersky Anti-Virus (1)
Kerio MailServer(1)
LISTSERV (4)
L-soft (12)
Lyris Listmanager (1)
MailEnable (5)
AV MAILGATE BTC-NET (1)
X-Optimum Internet Ltd-MailScanner (2)
Majordomo (3)
[Merak] (3)
[MOS] (3)
Panda GateDefender Performa (3)
PMDF e-Mail Interconnect (1)
Postfix (65)
qmail-send (34)
[QMQP] (1)
SMPTD32 (3)
[Sophos] Puremessage (2)
Sun Java System Messaging Server (12)
Symantec AntiVirus (32)
[Terrace MailWatcher] (1)
TMDA (1)
trimMail (1)
[v112] (15)
Network Associates WebShield SMTP (1)
zmailer (1)

The identity of the software was either explicitly specified, usually in the
body of the message, or else inferred from the most recent "Received: by" header
in the original message; the latter are enclosed in [brackets].  No attempt has
been made to interpret these names; thus [8.12.8/8.12.8] (and similar values)
might be the version, release and level of a well-known software package.  Some
71 messages contained no apparent identification although many of them showed
one of two distinct patterns and may represent two anonymous, if well-known,
software packages.

The software listed here is a mixture of traditional e-mail software, of
anti-virus software and of list servers.  Since all these generated bounce
messages in response to forged "Return-path:", all are treated equally.

Two general comments on the analysis.  Since almost all the direct messages to
the address in question contained the 'MyDoom' worm (or similar), it is assumed
that the original messages that triggered these bounce messages also contained
such a payload and so the failure of the bounce message to mention the presence
of such is taken as a failing on the part of the software to detect the worm.
Apart from that, the bounce messages have been analysed 'as is' with no attempt
to interpret them eg by allowing for possible customisation of the software by
its implementor to provide the mail service on offer.

This analysis should not be taken as representative of bounce messages in
general, just those that dominate e-mail traffic.  After all, the bounce
messages are themselves spam (in a general sense) and the best, or best
implemented, software would not generate them at all and so would not be present
in this analysis.

Analysis by software of nine largest contributors

[8.12.9/8.12.8] (or similar numbers)
Software identity: taken from "Received: by", could be Version.Release.Level
From: informative (Mail Delivery Subsystem)
Subject: unhelpful (Returned Mail)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: unhelpful, no statement of what this e-mail is
Advice: none
Expert user: comprehensive (reply code, enhanced status code, session
transcript, original message headers)
Worm detected: mostly not
Original message: dangerous (attachment complete with worm)

Communigate Pro SMTP
Software identity: in body, with version.release.level
From: informative (MAILER-DAEMON)
Subject: informative ('Undeliverable mail' or 'Virus warning' plus original
subject)
Content Type: multipart/report message/delivery-status text/rfc822-headers
Body:-
Lay user: clear (but sometimes 'you sent ...')
Advice: none
Expert user: good (reply code, original message headers)
Worm detected: 8/23
Original message: headers only

exim
Software identity: sometimes in body, otherwise from "Received: by", with
Version.Release
From: informative (Mail Delivery System)
Subject: ok (Mail Delivery Failed or Warning(3))
Content Type: none!
Body:-
Lay user: unhelpful ("A message that you sent could not be delivered"
Advice: none
Expert user: weak (message but no codes, original message headers)
Worm detected: mostly not
Original message: dangerous (complete with worm in the body)

L-soft Listserv
Software identity: in "From:" with Version.Release
From: informative (Listserv)
Subject: unhelpful ('Message')
Content Type: none!
Body:-
Lay user: unhelpful ("The distribution of your message ... "
Advice: weak ('No action is required ...')
Expert user: none
Worm detected: no
Original message: no part thereof

Postfix
Software identity: first line of body (mostly), no Version.Release.Level
From: informative (Mail Delivery System)
Subject: informative (Undelivered Mail)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: ok ("I'm sorry to have to inform you ..." but then "your message could
not ..."
Advice: yes ("For further assistance..."
Expert user: weak (error message, occasional reply code, original message as
attachment)
Worm detected: mostly not
Original message: mostly dangerous (complete with worm as attachment)

qmail-send
Software identity: first line of body, no Version.Release.Level
From: informative (MAILER-DAEMON)
Subject: unhelpful ('failure notice' mostly)
Content Type: mostly none (multipart/mixed in 2 cases)
Body:-
Lay user: clear ("I wasn't able to deliver .." but then "your message ...")
Expert user: erratic (a few reply codes, a few enhanced status codes, error
message, complete original message)
Worm detected: mostly not
Original message: mostly dangerous (complete with worm in body)

Sun Java System Messaging Server
Software identity: taken from "Received: by" with Version.Release.Level and
build date
From: informative (Service de distribution du courrier)
Subject: informative (Notification de l'état de remise)
Content Type: multipart/report message/delivery-status text/rfc822-headers
Body:-
Lay user: clear ("Ce rapport fait référence à un message ...", "Le message ne
peut pas être remis..."
Advice: none
Expert user: excellent (message, reply code, enhanced status code, transport
quintuple, dns name, original message headers)
Worm detected: sometimes
Original message: headers

Symantec AntiVirus
Software identity: first line of body, no Version.Release.Level
From: unhelpful (often the From: of the original message)
Subject: unhelpful (the "Subject:" of the original message, "Mail System Error",
"Returned Mail")
Content Type: mostly multipart/mixed message/rfc822
Body:-
Lay user: unhelpful (talks about detecting a virus, omits any mention of e-mail)
Advice: none
Expert user: weak (truncated original message as an attachment)
Worm detected: yes (but calls it "Mydoom")
Original message: good (worm truncated else complete as attachment)

v112 (or similar)
Software identity: from "Received: by" with Release number
From: informative (Mail Delivery System)
Subject: unhelpful ('Returned Mail' mostly)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: unhelpful ("The original message ..." and "your e-mail is being
returned to you ..."
Advice: yes ("Please direct further questions ..."
Expert user: ok (error message, session transcript, original message headers)
Worm detected: sometimes (5/15)
Original message: headers

As may be apparent, if these were in a heap I would place Communigate Pro SMTP
and Sun Java System Messaging Server on top and Symantec AntiVirus towards the
bottom

Tom Petch





_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  bounceone Re: [Asrg] DSN generation and handling, Tom Petch
Next by Date:  Re: bounceone Re: [Asrg] DSN generation and handling, der Mouse
Previous by Thread:  bounceone Re: [Asrg] DSN generation and handling, Tom Petch
Next by Thread:  bouncetwo R2: was Re: [Asrg] DSN generation and handling, Tom Petch
Indexes:  [Date] [Thread] [Top] [All Lists]