Re: [Evolution] Is it just me?

From: Tony Earnshaw <tonye billy demon nl>
To: Evolution list <evolution lists ximian com>
Subject: Re: [Evolution] Is it just me?
Date: Sat, 01 May 2004 01:49:44 +0200

fre, 30.04.2004 kl. 22.36 skrev guenther:

I'm at present refusing 2-3 per day *claiming* to be from this list (my
Postfix logs say so). The reason's long and involved, but I can't
readily check whether this is "backscatter" (Wietse Venema word for
false MAIL FROM:s) or whether they really do come from the Evo list.


Nope, this is not just you. There are some worms getting through this
list. Seems, there is at least one infected Micros~1 Windows machine
that has collected this lists email address and Jeffs...

(Yep, IIRC most of them forged Jeff as being the sender.)


They never get far enough for me to be able to see from whom the From:
is. The envelope sender (MAIL FROM:) is evolution lists ximian com
[...]

Blocking all attachments would be a very bad idea IMHO. Stripping those
infamous attachments would at least save bandwidth and protect anyone
reading this list with MS clients. Simply rejecting those mails would
actually keep the list clean but has another bad impact. [1]


That's policy as decided by management and ITS. One AV vendor at least,
Sophos, recommends banning all attachments - and that means an smtp
reject (55x), in which case there's no bounce or backscatter (that's
what I do on this rig). The submitting MTA/zombie/proxy/open relay sits
with the problem - in my case my ISP, but I've o.k.ed this with him. I'm
rejecting 20-40% of all my mail at the moment, of which again about
98-99% is spam or virus. I have a direct reject policy, since I can't
run amavisd-new or SpamAssassin on this tiny rig - but I do at clients'
sites. Postfix 2.1 and SA-Exim 4/3.1 can smtp reject with a 55x, but at
the same time secretly analyze, save and quarantine rejected mail, and
notify the recipient about what's happened, so that no mail needs to get
lost.

Tony, as you are knowledgeable about this issues, any specific advice to
the list admins?

[1]  Automatically generated reply messages as response to received
worms is not the solution for years...


Bounced messages or notification should *never* be sent "back to the
sender" (an smtp reject is not a bounce), since the envelope sender
address (MAIL FROM:) is almost always forged.

For the record, on this rig (smtp server, IMAP server, Gnome desktop)
and for attachments I simply use 4 or 5 different mime header check pcre
regexps that Postfix's 'cleanup' daemon puts each mail through before
accepting from the client MTA.

Thanks!

--Tonni

-- 

We make out of the quarrel with others rhetoric
but out of the quarrel with ourselves, poetry.

mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

References:
- [Evolution] Is it just me?
  - From: Tony Earnshaw
- Re: [Evolution] Is it just me?
  - From: guenther

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]