ietf-mxcomp
[Top] [All Lists]

RE: blowback, was A new SMTP "3821" [Re: FTC stuff...........]

2005-01-09 18:44:22

-----Original Message-----
From: owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org
[mailto:owner-ietf-mxcomp(_at_)mail(_dot_)imc(_dot_)org]On Behalf Of Dean 
Anderson
Sent: Sunday, January 09, 2005 7:39 PM
To: Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com
Cc: ietf-mxcomp(_at_)imc(_dot_)org
Subject: RE: blowback, was A new SMTP "3821" [Re: FTC
stuff...........]



On Mon, 3 Jan 2005 Matthew(_dot_)van(_dot_)Eerde(_at_)hbinc(_dot_)com wrote:


Dean Anderson wrote:
The blowback issue is different from this.  Blowback
happens whenever
anyone _rejects_ emails based on SPF.

Fair enough

A bounce is generated from the relay to the forged sender.

Is it?  If the receiving MTA issues an SMTP reject command,
it does not
assume any responsibility for the delivery of the mail.  It will
therefore not generate a spurious bounce message.

This isn't how most current SMTP servers behave.
(Sendmail/Qmail/Postfix/Exchange, anyway)  If the receiving
MTA rejects
mail, the sending MTA generates a bounce to the sender.  The
sender of
course, can be forged.

Agreed, but near sighted.  If the sending MTA had done some sort of validation 
to ensure the message
was not forged when it accepted it, then we wouldn't have a blowback problem.  
You cannot blame
subsequent MTA's in the path for detecting and rejecting bad email when its 
something the first hop
MTA could (and should) have done in the first place!

His point I think is that if the virus is trying to send directly to the MTA it 
would get rejected
with no bounce back (because the virus wouldn't process a bounce).

If an MTA.1 accepted a virus message, and tried relaying it to MTA.2, when 
MTA.2 rejects it as
forged, and MTA.1 processes a bounce, well, NO SYMPATHY FOR MTA.1, it should 
have taken steps to
prevent the virus/forgery etc from being accepted by itself in the FIRST PLACE.


If the sending MTA generates a bounce message, then it's
likely not a
virus or other malware likely to forge a sender address.

???

This too is wrong. Many viruses send "forged" bounces
containing a virus.

The statement was that virus infected machines don't usually process bounces if 
an MTA rejects its
transmission attempt.  And the statement *is* correct.

One cannot assume that because you opened a bounce, the
message will not
contain a virus.  Further, a genuine bounce with an
undelivered message
may contain a virus in the undelivered message.

True, but what is your point?  The question at hand was "If the MTA rejects a 
message, does this
cause a blowback problem":
Case 1: Message is arriving from the virus itself:
-no blowback, viruses will usually ignore the rejection

Case 2: Message is arriving from an MTA that accepted the message from a virus:
-no sympathy for the bounce, the MTA should have rejected the virus message in 
the first place.
Is there a real issue with blowback?  NO:  There are plenty of ways of dealing 
with blowback until
all the MTA's are upgraded to provide some sort of MTA authentication to deal 
with forgery and
reject it at the first hop.  (Yes, even silently dropping the bounces, 
something which large ISP's
often do already ANYWAY).

Terry Fielder



Matthew.van.Eerde (at) hbinc.com                 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com         Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"




--
Av8 Internet   Prepared to pay a premium for better service?
www.av8.net         faster, more reliable, better service
617 344 9000