Re: [Asrg] where the message originated
2009-01-13 15:23:05
Alessandro Vesely wrote:
Rich Kulawiec wrote:
On Mon, Jan 12, 2009 at 12:42:59PM -0500, der Mouse wrote:
- Malware goes out, addressed to A, (forged) envelope-from B. Sending
channel ends up emitting it from a normal MTA, M.
- A's MX host rejects it at SMTP time.
- M generates and sends a bounce to B.
- B receives bounce with embedded malware. Somehow - perhaps B's MUA
aggressively looks for and executes live content; perhaps B clicks
on the wrong thing; perhaps something else - this ends up with a
malware infestation on B's machine. (Cue xkcd #350.)
If A's MX host had silently swallowed the mail, nothing would have
happened to B - or, at least, not on account of this message.
Ah, gotcha. I agree that silently swallowing the message might have
spared B a possible infection, but I'm reluctant to blame A's MX for
this: it didn't originate, accept or transfer the malware-laden message.
A's MX knows that M lacks effective anti-virus filtering. Hence,
through inaction, it allowed a human being to come to harm. That
obviously breaks the first law.
A's MX didn't generate _any_ virus-laden email. It just 550'd. The
originator did, and M's mailer is complicit by constructing a new email
(the bounce) that contains the virus-laden email.
A knows its filtering isn't perfect and that every rejection is a
potential FP. So, the rejection is the best way to ensure that the
appropriate party (if any) is notified. Blackholing would violate the
first law.
M _should_ know that best practise is now to ensure that the recipient
of the bounce knows enough to know what email bounced, and should
truncate the email to that minimum. Eg: original recipient, sender (the
recipient of the bounce), date, subject, and perhaps a few other
snippets. A very large proportion of MTAs now do that by default.
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- Re: [Asrg] Meta channel, not bounces, (continued)
- Message not available
- Re: [Asrg] Meta channel, not bounces, Rich Kulawiec
- Message not available
- Re: [Asrg] Meta channel, not bounces, Chris Lewis
- Message not available
- Re: [Asrg] Meta channel, not bounces, Chris Lewis
- Message not available
- Re: [Asrg] Meta channel, not bounces (was: Re: where the message originated), Rich Kulawiec
- Re: [Asrg] Meta channel, not bounces, Chris Lewis
- Re: [Asrg] Meta channel, not bounces (was: Re: where the message originated), SM
- Message not available
- Message not available
- Re: [Asrg] where the message originated,
Chris Lewis <=
Re: [Asrg] where the message originated, Franck Martin
Re: [Asrg] where the message originated, Gordon Peterson
|
|
|