ietf-asrg
[Top] [All Lists]

bouncetwo R2: was Re: [Asrg] DSN generation and handling

2006-12-15 07:37:02
This is release 2 of bouncetwo, updated to include a further ten sets of details
and adding a 'machine:' line giving the fields present in the
'message/delivery-status'.

For details of the principles on which this analysis is based, see the companion
e-mail with a "Subject:" of 'bounceone'

This e-mail contains the analysis of 400 bounce (mostly Delivery Status
Notification) messages delivered to a single e-mail address on a UA between 20
June and 9 October 2006.  In the same time frame, this e-mail address also
received approximately 5430 messages containing the MyDoom worm with a forged
"Return-Path" together with a somewhat smaller number of similar messages
carrying screen savers and such like.  In a very few cases (less than 10), the
worm had been removed in transit by an MTA.

Bounce messages were received from the following 'software'.  The number in
(parentheses) is the number of messages received.  * indicates more details are
given below.

[7.2.0] (2)
8.12.8 (54) *
Active Spam Killer (1)
[AIMC] (1)
BitDefender (1)
blueyonder (3) *
ClamAV (4) *
CommuniGate Pro (23) *
ConcentricHost MX (1)
CoreMail (1)
exim (17) *
ezmlm (2)
[Intermail] (4) *
[Internet Mail Service] (4) *
[iPlanet Messaging Server] (4) *
Kaspersky Anti-Virus (1)
Kerio MailServer(1)
LISTSERV (4)
Lsoft (12) *
Lyris Listmanager (1)
MailEnable (5) *
AV MAILGATE BTC-NET (1)
X-Optimum Internet Ltd-MailScanner (2)
Majordomo (3)
[Merak] (3) *
[MOS] (3) *
Panda GateDefender Performa (3) *
PMDF e-Mail Interconnect (1)
Postfix (65) *
qmail-send (34) *
[QMQP] (1)
Rockliffe (1)
SMTPD32 (3) *
SMTPSVC (6)  *
[Sophos] Puremessage (2)
Sun Java System Messaging Server (12) *
Symantec AntiVirus (32) *
[Terrace MailWatcher] (1)
TMDA (1)
trimMail (1)
[v112] (16) *
Network Associates WebShield SMTP (1)
zmailer (1)

The identity of the software was either explicitly specified, usually in the
body of the message, or else inferred from the most recent "Received: by" header
in the original message; the latter are enclosed in [brackets].  No attempt has
been made to interpret these names; thus [8.12.8/8.12.8] (and similar values)
might be the version, release and level of a well-known software package.  Some
59 messages contained no apparent identification although many of them showed
one of two distinct patterns and may represent two anonymous, if well-known,
software packages.

The software listed here is a mixture of traditional e-mail software, of
anti-virus software and of list servers.  Since all these sent bounce messages
to a forged "Return-path:", all are treated equally.

Two general comments on the analysis.  Since almost all the direct messages to
the address in question contained the 'MyDoom' worm (or similar), it is assumed
that the original messages that triggered these bounce messages also contained
such a payload and so the failure of the bounce message to mention the presence
of such is taken as a failing on the part of the software to detect the worm.
Apart from that, the bounce messages have been analysed 'as is' with no attempt
to interpret them eg by allowing for possible customisation of the software by
its implementor to provide the mail service on offer.

This analysis should not be taken as representative of bounce messages in
general, just of those that dominate e-mail traffic.  After all, the bounce
messages are themselves spam (in a general sense) and the best, or best
implemented, software would not generate them at all and so would not be present
in this analysis.

Analysis by software of nine largest contributors

[8.12.8/8.12.8] (or similar numbers)
Software identity: taken from "Received: by", could be Version.Release.Level
From: informative (Mail Delivery Subsystem)
Subject: unhelpful (Returned Mail)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: unhelpful, no statement of what this e-mail is
Advice: none
Expert user: comprehensive (reply code, enhanced status code, session
transcript, original message headers)
Machine: Reporting-MTA:, Received-From-MTA:, Arrival-Date:, Final-Recipient:,
Action: failed, Status:, Remote-MTA:, Diagnostic-Code:, Last-Attempt-Date:,
(X-Actual-Recipient)
Worm detected: mostly not
Original message: dangerous (as a message/rfc822 complete with worm)

Communigate Pro SMTP
Software identity: in body, with version.release.level
From: informative (MAILER-DAEMON)
Subject: informative ('Undeliverable mail' or 'Virus warning' plus original
subject)
Content Type: multipart/report message/delivery-status text/rfc822-headers
Body:-
Lay user: clear (but sometimes 'you sent ...')
Advice: none
Expert user: good (reply code, original message headers)
Machine: Reporting-MTA:, Original-Recipient:, Final-Recipient:,
Action:, Status:
Worm detected: 8/23 (by Kaspersky AntVirus plugin or McAfee, perhaps not by
SpamAssassin)
Original message: headers only but mostly none if worm detected

exim
Software identity: sometimes in body, otherwise from "Received: by", with
Version.Release
From: informative (Mail Delivery System)
Subject: ok (Mail Delivery Failed or Warning(3))
Content Type: none!
Body:-
Lay user: unhelpful ("A message that you sent could not be delivered"
Advice: none
Expert user: weak (message but no codes, original message headers)
Machine: none
Worm detected: mostly not
Original message: dangerous (complete with worm in the body of the message)

L-soft Listserv
Software identity: in "From:" with Version.Release
From: informative (Listserv)
Subject: unhelpful ('Message')
Content Type: none!
Body:-
Lay user: unhelpful ("The distribution of your message ... "
Advice: weak ('No action is required ...')
Expert user: none
Machine; none
Worm detected: no
Original message: none

Postfix
Software identity: first line of body (mostly), no Version.Release.Level
From: informative (Mail Delivery System)
Subject: informative (Undelivered Mail)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: ok ("I'm sorry to have to inform you ..." but then "your message could
not ..."
Advice: yes ("For further assistance..."
Expert user: weak (error message, occasional reply code, original message as
message/rfc822)
Machine: Reporting-MTA:, X-Postfix-Queue-ID:, X-Postfix-Sender:,
Arrival-Date:, Final-Recipient:, Action:, Status:, Diagnostic-Code:
Worm detected: mostly not
Original message: mostly dangerous (complete with worm as message/rfc822)

qmail-send
Software identity: first line of body, no Version.Release.Level
From: informative (MAILER-DAEMON)
Subject: unhelpful ('failure notice' mostly)
Content Type: mostly none (multipart/mixed in 2 cases)
Body:-
Lay user: clear ("I wasn't able to deliver .." but then "your message ...")
Expert user: variable (a few reply codes, a few enhanced status codes, error
message, complete original message)
Machine: none
Worm detected: mostly not
Original message: mostly dangerous (complete with worm in body)

Sun Java System Messaging Server
Software identity: taken from "Received: by" with Version.Release.Level and
build date
From: informative (Service de distribution du courrier)
Subject: informative (Notification de l'état de remise)
Content Type: multipart/report message/delivery-status text/rfc822-headers
Body:-
Lay user: clear ("Ce rapport fait référence à un message ...", "Le message ne
peut pas être remis..."
Advice: none
Expert user: excellent (message, reply code, enhanced status code, transport
quintuple, dns name, original message headers)
Machine: Reporting-MTA:, Original-recipient:, Final-recipient:, Action:,
Status:, Remote-MTA:, Diagnostic-code:
0r:- Reporting-MTA:, Original-recipient:, Final-recipient:, Action:, Status:
Worm detected: sometimes (by ClamAV)
Original message: headers

Symantec AntiVirus
Software identity: first line of body, no Version.Release.Level
From: unhelpful (often the "From:" of the original message)
Subject: unhelpful (the "Subject:" of the original message, "Mail System Error",
"Returned Mail")
Content Type: mostly multipart/mixed message/rfc822
Body:-
Lay user: unhelpful (talks about detecting a virus, omits any mention of e-mail)
Advice: none
Expert user: weak (truncated original message as message/rfc822)
Machine: none
Worm detected: yes (but calls it "Mydoom")
Original message: good (worm truncated else complete as message/rfc822)

v112 (or similar)
Software identity: from "Received: by" with Release number
From: informative (Mail Delivery System)
Subject: unhelpful ('Returned Mail' mostly)
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: unhelpful ("The original message ..." and "your e-mail is being
returned to you ..."
Advice: yes ("Please direct further questions ..."
Expert user: ok (error message, session transcript, original message headers but
look as if they have been edited)
Machine: Reporting-MTA:, Arrival-Date:, Final-Recipient:, Action:, Status:,
Remote-MTA:, Diagnostic-Code:, Last-Attempt-Date:
Worm detected: sometimes (5/16)
Original message: headers

As may be apparent, if these were in a heap I would place Communigate Pro SMTP
and Sun Java System Messaging Server on top.

---------------------------------------------------------------------
A further ten analyses in R2

blueyonder
Software identity: in body, no Version.Release.Level ('X-Mailer: Kaspersky')
From: ok ('antivirus')
Subject: ok ('antivirus notification')
Content Type: multipart/mixed message/rfc822
Body:- (uses base64)
Lay user: ok ('found a virus' + From:/To:/Sent:)
Advice: yes ('DO NOT REPLY ' + URL)
Expert user: none (apart from message/rfc822)
Machine: none
Worm detected: yes
Original message: ok (message/rfc822 with virus removed)

ClamAV
Software: from body but with [8.12.8/8.12.8] in "Received: by"
From: informative ('Mail Delivery Subsystem')
Subject: unhelpful ('Returned Mail')
Content Type: multipart/report message/delivery-status message/rfc822 or
text/rfc822-headers
Body:-
Lay user: weak ('The original message was received ' 'Virus Worm detected')
Advice: none
Expert user: comprehensive (reply code, enhanced status code, session transcript
+ sometimes (2/4) original message headers)
Machine: Reporting-MTA:, Received-From-MTA:, Arrival-Date:, Final-Recipient:,
Action:, Status:, Remote-MTA:, Diagnostic-Code:
Last-Attempt-Date:
Worm detected: yes
Original message: sometimes dangerous (2/4 message/rfc822 complete with worm)

InterMail
Software identity: from "Received: by" with Version.Release.Level
From: informative ('Mail Administrator')
Subject: unhelpful ('Mail System Error - Returned Mail')
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: sparse ('This message was undeliverable ' but no message details, no
mention of worm detected)
Advice: yes ('Please contact ...')
Expert user: weak (original message as message/rfc822)
Machine: Reporting-MTA:, Arrival-Date:, Received-From-MTA:, Final-Recipient:,
Action:, Status:
Worm detected: sometimes (2/4)
Original message: complete as message/rfc822, worm replaced if detected

Internet Mail Server
Software; from X-Mailer in bounce message; nothing in body, no "Received: by"
lines in original message {strange}
From: ok ('System Administrator') would be better if mail is mentioned
Subject: informative ('Undeliverable' + original subject)
Content-Type: multipart/mixed message/rfc822
Body:
Lay user: ok (To:/Subject:/Sent: 'did not receive' but 'Your message' and no
mention of worm detected)
Advice: none
Expert user: none (apart from message/rfc822)
Machine: none
Worm detected: yes
Original message: odd (worm replaced with text but no "Received:" lines -
suppressed?)

MailEnable
Software identity: in body, no Version.Release.level
From: informative ('Delivery Subsystem')
Subject: informative ('Message Delivery Failure')
Content Type: none
Body:-
Lay user: ok ('message could not be delivered'
Advice: none
Expert user: weak (reply code, original message headers)
Machine: none
Worm detected: none
Original message: headers only as part of plain/text

Merak
Software: from "Received: by" with Version.Release.Level
From: informative ('Mail Delivery Subsystem')
Subject: ok ('Warning: antivirus system report'')
Content Type: multipart/report; report-type=virus-report message/rfc822
Body:-
Lay user: confusing ('Peligro: Virus has sido detectado' clear enough but then
runs straight into original message headers)
Advice: misleading ('Verifique su PC')
Expert user: weak; original message headers but not identified as such, virus
identified, 'this e-mail was sent by ...'
Machine: none
Worm detected: yes
Original message: misleading (message/rfc822 but headers only)

MOS
Software identity: taken from "Received: by" with Version.Release.Level
From: informative ('Mail Delivery Subsystem')
Subject: unhelpful ('Returned Mail')
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: unhelpful ('The original message ...')
Advice: none
Expert user: none apart from original headers as message/rfc822
Machine:Reporting-MTA:, Arrival-Date:, X-Message-Diagnostic-Code:,
Final-Recipient:, Action:, Status:, Remote-MTA: X-Unix;, Diagnostic-Code:,
Last-Attempt-Date:
Worm detected: none
Original message: message/rfc822 but headers only

Panda GateDefender Performa
Software identity: first line of body no Version.Release.Level; only three
messages having little in common apart from software identity
From: unhelpful (e-mail addresses)
Subject: variable (1/3 'Probable Spam', 1/3 Delivery Status Notification')
Content Type: multipart/mixed + (1/3) plain/text, (1/3) message/delivery-status
message/rfc822, (1/3) application/octet-stream
Body:-
Lay user: weak (2/3 'worm detected', no details of where)
Advice: none
Expert user: weak (1/3 session trace)
Machine:(1/3) Reporting-MTA:, Received-From-MTA:, Arrival-Date:,
Final-Recipient:, Action:, Status:, Diagnostic-Code:
Worm detected: yes
Original message: (1/3) worm curtailed, (1/3) message/rfc822 with worm removed

SMTPD32
Software identity: taken from "Received: by" with Version.Release
From: informative ('Mail Delivery Subsystem')
Subject: informative ('Undeliverable Mail')
Content Type: plain/text
Body:-
Lay user: ok (reason for non-delivery)
Advice: none
Expert user: original message only
Machine: none
Worm detected: sometimes (1/3)
Original message: in body, curtailed at 3kb total

SMTPSVC
Software identity: taken from "Received: by" with Version.Release.Level
From: ok ('postmaster@')
Subject: informative ('Delivery Status Notification (Failure)')
Content Type: multipart/report message/delivery-status message/rfc822
Body:-
Lay user: ok ('Delivery Failed')
Advice: none
Expert user: original message as message/rfc822 only
Machine: Reporting-MTA:, Received-From-MTA:,Arrival-Date:, Final-Recipient:,
Action:, Status:
Worm detected: no
Original message: as message/rfc822 sometimes complete with worm


_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>