On Sun, Dec 04, 2005 at 09:27:58PM -0600, Church, Chuck wrote:
What about all the viruses out there that don't forge addresses?
Three responses. First, these are pretty much a minority nowadays: so unless someone wants to code AV responses on a case-by-case basis, the best default is "don't respond, ever". Second, rejecting virus-contaminated traffic during the SMTP phase completely alleviates the need to address this question, since no outbound mail is generated. Third, put the first two points aside. Let's suppose, for a moment, that there existed a completely reliable mechanism for figuring out the real sender (in the sense of "the owner of the infected system") for a particular virus-contaminated message. Think about what would happen if the 100 or 1000 or 10000 or 100000 people getting outbound viruses from that user all generated responses. The first effect would be to double the quantity of useless mail messages traversing the Internet. The second effect would be to hammer the user's mailbox and whatever mail server it happened to be residing on. (Consider how this effect would be multiplied if many users of X all had infected systems sending SMTP traffic directly, but of course were all receiving inbound mail via X's mail server(s).) The third effect would really be a non-effect, as the user's most likely response (thanks to years of conditioning imposed by the problem we're discussing here) would be to do nothing: experience has taught users that such warnings are bogus and can safely be ignored. The user's second-most-likely response would be indignant denial (despite logs showing positive identification). The user's third-most-likely response would be report the responses as spam and/or block the senders. Bottom line: nothing good can come of generating outbound mail in response to rejected inbound mail; the best course of action is to issue the appropriate 5XX response and be done with it. ---Rsk