North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: antivirus in smtp, good or bad?

  • From: Daniel Senie
  • Date: Tue Feb 03 09:24:50 2004

At 08:58 AM 2/3/2004, you wrote:

Hi,
When investigating our mail queue it seems we have quite a lot of mails which
are stuck in transit...

Whats happening is we're accepting the mail as the primary MX for the domain but
the user has setup a forwarding to another account at another ISP, they have
antivirus service on that other account. So we get the mail, spool it and try to
forward it but then we get a "550 Error: Suspected W32/MyDoom@MM virus" after
DATA and our server freezes the mail.
Hmmm, well, we certainly kick back virus-laden stuff this way. The alternatives are:

1) kick it back during SMTP.

2) drop it on the floor.

or, the third option, which is EXCEEDINGLY BROKEN,

3) send a bounce to the From: address in the email. Because of spoofed sender addresses, this then goes to the wrong person, freaks out innocent, non-infected people and raises everyone's support costs.


Surely this is an incorrect way to do this as there will be lots of similar MXs
like ours backing this mail up? They should accept the mail and then bounce it?
Why must systems accept mail that's virus laden or otherwise not desired at a site?

The "bounce" you refer to invariably ends up going to the wrong person(s), so that's an exceptionally BAD idea. Many viruses (most of the recent ones) forge the sender information. So either accepting and silently dropping, or rejecting the SMTP session with a 55x are the only viable choices.