Stories
Slash Boxes
Comments
NOTE: use Perl; is on undef hiatus. You can read content, but you can't post it. More info will be forthcoming forthcomingly.

All the Perl that's Practical to Extract and Report

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
 Full
 Abbreviated
 Hidden
More | Login | Reply
Loading... please wait.
  • Disclaimer: I do AV/Anti-spam for ~ 250,000 folk. Many of my e-mail addresses are also plastered all over the 'net, so I get plenty of these bounces too.

    Still, from my perspective, mail must *not* get lost. Failure to deliver a message to it's recipient must *always* generate a bounce message (i.e., an SMTP 5xx error).

    Why? Because I don't trust anti-virus software to always do the right thing. I don't trust anti-spam software to always do the right thing. I don't trust *BLs and local block lists to

    • You might not trust it to do the right thing, but right now its doing a Very, Very Wrong Thing to such an extent that its effecting the health of the Internet. I don't think you quite understand the magnitude of the problem. I got another 1000 bounce messages overnight. That's absurd.

      With the current setup you're generating a massive quantity of false positives. So much so that I'm now likely to ignore *all* bounce messages. In effect, by flooding the system with false positives you're social engineering far more false negatives than you would have by simply not sending the virus warning.

      Furthermore, with the current setup there's almost no chance that your virus warning will get back to the infected machine. No modern virus sends out mail with a legit From line.

      Here's a simple solution. Check the Received headers to see if the originating machine and the From line or Reply-To are even vaguely related before sending out a warning. That would slash the number of false positives by at least an order of magnitude while still avoiding most false negatives. Those of us who use services like pobox.com will suffer gladly. In the case of an obviously bogus From line, send to the originating machine's postmaster.