Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Disclaimer: I do AV/Anti-spam for ~ 250,000 folk. Many of my e-mail addresses are also plastered all over the 'net, so I get plenty of these bounces too.

    Still, from my perspective, mail must *not* get lost. Failure to deliver a message to it's recipient must *always* generate a bounce message (i.e., an SMTP 5xx error).

    Why? Because I don't trust anti-virus software to always do the right thing. I don't trust anti-spam software to always do the right thing. I don't trust *BLs and local block lists to

    • I fail to see how an automated message saying "A message you didn't send to someone you don't know couldn't be delivered" is useful.

      • I fail to see how an automated message saying "A message you didn't send to someone you don't know couldn't be delivered" is useful.

        It's not. And if you've got an algorithm that can determine when to silently drop mail on the floor with no false positives, I'm all ears. But RFC 2821, s4.2.5 is quite clear on an MTA's responsibilities after it accepts a message. I don't think picking and choosing which bits of an RFC to implement is a good idea.

        Yes, 2821 is in need of an update to deal with today's In

        • If you can detect that the message contains a virus, don't send the virus back. If you can detect which virus the message contains, you can tell whether the virus spoofs e-mail addresses. If it does, don't even send a bounce.

          I gather from the fact that so many of these bounce messages say "Your message tested positive for Sobig" that both points are actually possible — and pratical.

          • If you can detect that the message contains a virus, don't send the virus back.

            Doesn't work if you're trying to save cycles for wanted mail, and rejecting messages based on attachment types, or other content (e.g., the presence of web bugs).

            To be specific, consider three sites, A, B, and C. B has the virus, and is sending mail to C, with forged headers that look like it came from A.

            If C refuses to accept the message (SMTP 5xx), it's B that generates the bounce message to A. The mail logs at B shoul

            • Perhaps we're talking about different things. Could you explain the difference between a 5xx rejection and a normal "You sent us a virus!" message? Which does NAV, InterScan, etc... send out? More importantly, does the 5xx show up as regular mail?
              • Perhaps we're talking about different things. Could you explain the difference between a 5xx rejection and a normal "You sent us a virus!" message? Which does NAV, InterScan, etc... send out? More importantly, does the 5xx show up as regular mail?

                The "You sent us a virus" messages are the ones from products like NAV that try to be helpful, while at the same time marketing the product. They're generated by the site that's doing the scanning (so if B is infected, sends a message to C, forged to appear to be from A, it's the software running at C that generates the message and sends it to A).

                A 5xx rejection is where C refuses to accept the e-mail from B for some reason. This might be because the address to which the message has been sent doesn't exist at C's site, or B is trying to use C as an open relay, or the sender is not allowed to send mail to the recipient. Or it might be because C thinks the message has a virus.

                In this instance, the message that's sent to A is generated by B, and will normally (a) be fairly terse, (b) be sent from MAILER-DAEMON, or similar, and (c) have an empty envelope sender. The format of that message will depend on the mail software running at B. For example, if B are running qmail, then the message will start something like this:

                Hi. This is the qmail-send program at smtp.utexas.edu.
                I'm afraid I wasn't able to deliver your message to the following addresses.
                This is a permanent error; I've given up. Sorry it didn't work out.

                followed by a (hopefully useful) transcript of the SMTP session up to the point where the error occured. This might include text like:

                554 Might contain a virus: Sobig.f

                or:

                553 joe@example.com is not a valid address here

                or:

                552 joe@example.com has exceeded their mailbox quota

                Or similar.

                N

                • I get so few of those. :( Most are of the NAV variety.

                  But it doesn't seem anyone's hit upon the simple idea of a mail header:

                  SMTP-Reponse: 554 May contain nuts

                  Different SMTP servers encode their response code in different ways in the body of the mail. That its just more mail that I have to scan and junk. Since the format isn't unambiguous, I'm back to writing rules. :( However, they are significantly easier rules than what NAV and friends are causing me to write.

                  Ideally what I'd want is for serve