Sobig forces unsubscribes
My list owners are getting Sobig files bounced to them through the administrative addresses. One of their ISPs has decided to reject those relayed messages with a 550 User Unknown because they contain Sobig. The mailman-owner gets this bounce back and kicks them off all the lists. She's asked her admins to change it to a 554 Service Unavailable bounce, but I'm not even sure that will make a difference if my machine keeps trying to send them. Is there a simple way I haven't thought of to strip out the Sobig posts to the list owners?
-- Rob Carlson rob@vees.net http://vees.net/
On Tue, Sep 02, 2003 at 07:04:19PM -0400, Rob Carlson wrote:
My list owners are getting Sobig files bounced to them through the administrative addresses. One of their ISPs has decided to reject those relayed messages with a 550 User Unknown because they contain Sobig. The mailman-owner gets this bounce back and kicks them off all the lists.
If either is an option, reject (or discard) the incoming viruses in the first place, or else strip incoming messages to the list-owner using demime or something similar. Don't know if it's entirely appropriate to demime messages to the list-owner, however. I certainly wish Yahoo Groups would do this - we've seen a number of customers write in because they're getting unsubbed from Yahoo groups for this reason.
We've had several users with problems like this; the problem is that it's obviously a bad idea to let our users get Sobig viruses (#1, the sheer volume of messages is really annoying, and #2, I would like to avoid having users get infected). However, I think it's a good overall policy to reject any message that's not delivered - with any sort of filter based on content, you're running a risk of rejecting legitimate messages, so it's important that the sender realize the message wasn't delivered. Since the virus sends direct-to-MX, the case of messages going through a MLM is one of the only cases where you'd likely experience problems like this.
She's asked her admins to change it to a 554 Service Unavailable bounce, but I'm not even sure that will make a difference if my machine keeps trying to send them. Is there a simple way I haven't thought of to strip out the Sobig posts to the list owners?
While 554 or 553 would probably be slightly more appropriate, 550 simply means "mailbox unavailable", and AFAICT, is appropriate to use when rejecting a message for policy reasons (rfc2821, while still just a proposed standard, is a little clearer about this than 821).
specifically: (4.2.2) 550 Requested action not taken: mailbox unavailable (e.g., mailbox not found, no access, or command rejected for policy reasons)
-- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
On 9/2/2003 16:34, "Will Yardley" <william+mm@hq.newdream.net> wrote:
However, I think it's a good overall policy to reject any message that's not delivered - with any sort of filter based on content, you're running a risk of rejecting legitimate messages, so it's important that the sender realize the message wasn't delivered.
It's arguably a decent overall policy, but it fails in the case of Sobig-F which ordinarily forges the sender. Bouncing Sobig amounts to an attack on an innocent party...particularly if more than a smallish part of the incoming message is included.
Other worms munge the envelope sender [SMTP MAIL FROM: command] (for example by incrementing or decrementing the second character of the envelope sender local part [Magistr, at least some of the Magistr versions] but leave the From: "real"); others munge "From:" but leave the envelope sender real.
So unless you want to build a table of viruses and worms and the right way to bounce or not bounce, and maintain it for new inventions, it's become kinder not to bounce, but to drop on the floor. Likewise, sending a notice to postmaster@the.forged.domain doesn't accomplish anything either (those messages get tossed unread).
"Reliable mail delivery" has suffered blows from both the Spammers and the worm/virus crowd, and doesn't exist any more.
It will be nice to retire and give up all my email accounts.
--John the Pessimist
On Wed, Sep 03, 2003 at 09:01:18PM -0700, John W. Baxter wrote:
On 9/2/2003 16:34, "Will Yardley" <william+mm@hq.newdream.net> wrote:
However, I think it's a good overall policy to reject any message that's not delivered - with any sort of filter based on content, you're running a risk of rejecting legitimate messages, so it's important that the sender realize the message wasn't delivered.
It's arguably a decent overall policy, but it fails in the case of Sobig-F which ordinarily forges the sender. Bouncing Sobig amounts to an attack on an innocent party...particularly if more than a smallish part of the incoming message is included.
As someone else pointed out (and as I pointed out), when a message is rejected during the SMTP transaction, it's the job of the sending machine to return the message to its sender. Sobig (and most spamware) sends direct to MX from the infected machine, and doesn't send a bounce when it receives a 55x response; the message is simply rejected and no harm is done.
The problem is when the message is NOT initially rejected, and is then bounced back to the sender. Even worse are those misconfigured virus scanners which send notifications to the apparent "sender".
-- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
Hi,
Rob Carlson wrote:
My list owners are getting Sobig files bounced to them through the administrative addresses. One of their ISPs has decided to reject those relayed messages with a 550 User Unknown because they contain Sobig.
The mailman-owner gets this bounce back and kicks them off all the lists. She's asked her admins to change it to a 554 Service Unavailable
Ask him to silently discard them (>/dev/null) because the bounce address is also a victim.
-- Tokio Kikuchi, tkikuchi@ is.kochi-u.ac.jp http://weather.is.kochi-u.ac.jp/
On Tuesday, Sep 2, 2003, at 19:59 US/Eastern, Tokio Kikuchi wrote:
My list owners are getting Sobig files bounced to them through the administrative addresses. One of their ISPs has decided to reject those relayed messages with a 550 User Unknown because they contain Sobig. The mailman-owner gets this bounce back and kicks them off all the lists. She's asked her admins to change it to a 554 Service Unavailable
Ask him to silently discard them (>/dev/null) because the bounce address is also a victim.
Yes, but it is doing a 550 in its conversation with the server (in this case a Sobig instance) so for actual Sobig connections, the message would be silently discarded by both the Sobig instance and their mail server without annoying the owner of the forged address. Not a bad way to do things overall, I just need to get around it somehow.
-- Rob Carlson rob@vees.net http://vees.net/
On Tue, Sep 02, 2003 at 08:05:51PM -0400, Rob Carlson wrote:
On Tuesday, Sep 2, 2003, at 19:59 US/Eastern, Tokio Kikuchi wrote:
My list owners are getting Sobig files bounced to them through the administrative addresses. One of their ISPs has decided to reject those relayed messages with a 550 User Unknown because they contain Sobig. The mailman-owner gets this bounce back and kicks them off all the lists. She's asked her admins to change it to a 554 Service Unavailable
Ask him to silently discard them (>/dev/null) because the bounce address is also a victim.
Yes, but it is doing a 550 in its conversation with the server (in this case a Sobig instance) so for actual Sobig connections, the message would be silently discarded by both the Sobig instance and their mail server without annoying the owner of the forged address.
Exactly.
Not a bad way to do things overall, I just need to get around it somehow.
One option would be to disable auto-bounce detection until Sobig expires and / or increase the threshold of bounces required to remove an address (it would be nice if an individual address could be exempted without disabling this feature entirely, but this isn't currently an option).
Does filtering attachments with a particular content type (under Content Filtering) affect messages sent to the list-owner, or only messages sent to the list itself? What about Spam filters (under Privacy Options -> Spam filters) - if you autodelete messages which appear to be Sobig, is the original message forwarded to the owner, or only a summary indicating that a message was deleted (my recollection is that it's the latter).
-- "Since when is skepticism un-American? Dissent's not treason but they talk like it's the same..." (Sleater-Kinney - "Combat Rock")
participants (4)
-
John W. Baxter -
Rob Carlson -
Tokio Kikuchi -
william+mm@hq.newdream.net