Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless anti-virus products/vendors (was Re: Sober)

  • From: Edward B. Dreger
  • Date: Wed Dec 07 16:36:25 2005

DO> Date: Tue, 6 Dec 2005 16:26:16 -0800
DO> From: Douglas Otis

DO> I know of no cases where a malware related DSN would be generated by our

Good.


DO> products, nevertheless, DSNs are not Unsolicited Bulk Email.

Huh?  I get NDRs for mail that "I" sent.  I do not want those NDRs.  I 
did not request those NDRs.  Those NDRs are not in response to a message 
I sent.

I do not want backscatter NDR notices.  I frankly don't care that 
WhizBangAV caught WormOfTheWeek on Susie Smith's corporate mail in 
Argentina from Billy Boo's PC in China... just because my address 
happened to be the subject of a joe jobbing worm.

Really.  Even reading and posting to NANOG is more important. ;-)


DO> Not all email is rejected within the SMTP session.  You are changing
DO> requirements for recipients that scan incoming messages for malware.  Fault
DO> them for returning content or not including a null bounce-address.  No one
DO> can guarantee an email-address within the bounce-address is valid,

Perhaps DSNs should be sent to the original recipient, not the purported 
sender.  RFC-compliant?  No.  Ridiculous?  Less so than pestering a 
random third party.  Let the intended recipient communicate OOB or 
manually if needed.


DO> furthermore a DSN could be desired even for cases where an authorization

When auth fails, one knows *right then* c/o an SMTP reject.  No bounce 
is necessary.


DO> scheme fails.  Why create corner cases?

The corner case is that a virus _might_ actually have a realistic "From" 
address. :-)


DO> DomainKeys and Sender-ID can not validate the bounce-address or the DSN.
DO> Even with an SPF failure, a DSN should still be sent, as SPF fails in

If you receive mail with

	From: <eddy@everquick.net>

coming from 10.10.10.10, and everquick.net SPF records indicate that IP 
address is bogus, how can you possibly justify "that mail may indeed 
have come from how it's apparently addressed"?  Doubly so when a virus 
is known to spoof "from" addresses!

Saying a DSN should be sent is just untenable.


DO> several scenarios, and false positives are never 0%.  BATV offers a
DO> unilateral option that can effectively discard spoofed bounce-addresses.
DO> When the AV software provides the DSN with a null bounce-address, BATV works
DO> as advertised.


Eddy
--
Everquick Internet - http://www.everquick.net/
A division of Brotsman & Dreger, Inc. - http://www.brotsman.com/
Bandwidth, consulting, e-commerce, hosting, and network building
Phone: +1 785 865 5885 Lawrence and [inter]national
Phone: +1 316 794 8922 Wichita
________________________________________________________________________
DO NOT send mail to the following addresses:
davidc@brics.com -*- jfconmaapaq@intc.net -*- sam@everquick.net
Sending mail to spambait addresses is a great way to get blocked.
Ditto for broken OOO autoresponders and foolish AV software backscatter.




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.