[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Fwd: Undelivered Mail Returned to Sender



On Fri, 2004-06-04 at 11:56, Arjen de Korte wrote:
> smtpd_recipient_restrictions =
> 	permit_mynetworks,
> 	permit_auth_destination,
> 	reject

Can't remember why I stopped using smtpd_recipient_restrictions
(I think I was still trying out various configurations with content
filters as I use trend interscan virus wall, which connects always as
localhost, have fixed this now with the
content_filter=smtp[localhost]:10026 string and editing my master.cf to
match this nicely)

> Your (quite minimal) configuration will not stop the virus in question, the 
> sender host matches all criteria you listed here. I have no problems in 
> stopping the virusses entering my system (a single RBL in 
> smtpd_client_restrictions is sufficient in case of the 'dip.t-dialin.net' 
> senders), it is the virus warnings from perfectly legitimate systems that are 
> bothering me.

Yup, I started a string about these some months ago (when I needed
coffee and a break from users wasting my time by insiting they had a
virus as user@somewhere told them so.

[snip my previous]
From: "Barry Gill" <b@xxxxxxxxx>
Date: Thu, 11 Mar 2004 09:40:28 +0200
Message-ID: <PMEJIAOJHLLNGELPDEEIAEJKCBAA.b@xxxxxxxxx>
Subject: [suse-security] Anti-Virus reports

Hello All. 
 
As most of you are technical, you should for the most part be in control
of, or have the ear of the person who is in control of your corporate
anti-virus solutions. 
 
Please for the sake of the internet can you STOP your servers sending
virus notifications to the originators of the message as with today's
modern virii 90% of virii use spoofed "from:" addresses. 

So, every time some poor person out there with MY name in their address 
book, or contacts folder gets a virus, I get 3000 messages (as I am sure
do most of you on this list at least) telling me that I sent a virus to
someone I have never heard of in my life before. 
 
This form of server administration is a very very poor form of security
as you are willfully informing people who have possibly never thought of
you or your servers before several key steps that it may have taken them
some time to figure out. 

Things like... 
 
Antigen for Exchange found 
ScanMail for Microsoft Exchange took action on the message. The message 
details were: 
Symantec AVF detected an unrepairable 
NAV for Microsoft Exchange 
 
etc etc etc. 
 
Sending out mass mailer responses to virii wastes as much respource as 
coping with the virii themselves. 
 
Stop wasting your and my bandwidth, send reports only to admin, check
the headers and if you receive mail form an address or domain often and
the headers check out, THEN notify the admin/postmaster of that domain. 
 
I mean please, telling Lucy in the clerks dept about the fact that she
is sending virii to somebody she has never met in Luxembourg is only
going to cost her tima and money as she will call out her IT people to
clean her "infected machine" 
 
Sorry about the rant, this is just one of the most annoying things that
for some reason no-one ever seems to consider when setting up all this
AV stuff. 
 
Barry

[/snip of my previous]


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here