Re: RFC: virus handling

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: RFC: virus handling
From: Volker Kuhlmann <list0570@xxxxxxxxxxxxxxx>
Date: Wed, 4 Feb 2004 11:59:12 +1300
Cc: Dave Clendenan <dave@xxxxxxxxxxxxxxxxx>, John Fitzgibbon <fitz@xxxxxxxxx>
In-reply-to: <20040203170905.GA1695@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <1075304734.29593.147.camel@xxxxxxxxxxxxxx> <200401281400.03753.fitz@xxxxxxxxx> <20040203170905.GA1695@xxxxxxxxxxxxxxxxx>

> > A bounce should *always* include a MIME attachment of type 
> > message/rfc822-headers which contains the full headers from the original 
> > mail. This makes it relatively easy to check on the receiving side if the 
> > original "Received: from" headers are valid, and simply drop bounces that 
> > relate to messages that were originally sent with forged headers.

> Outstanding idea.  If you (or anyone else on the list) already have a
> tested procmail recipe for this, please share.  If not, let's make one
> and share it around...

Done that:

http://volker.dnsalias.net/soft/procmail/virusnotification.rc

As a quick guess, the received: recipe catches 1/2 - 2/3 of all
responses from those idiots, though I'm not recording exactly which
recipe triggers because I don't care which rubbish it is.

Anything can be improved, of course.

Volker

-- 
Volker Kuhlmann                 is possibly list0570 with the domain in header
http://volker.dnsalias.net/             Please do not CC list postings to me.

References:
- RFC: virus handling
  - From: Thomas Zehetbauer
- Re: RFC: virus handling
  - From: John Fitzgibbon
- Re: RFC: virus handling
  - From: Dave Clendenan

Prev by Date: smbmount disrupts Windows file sharing.
Next by Date: ZH2004-04SA (security advisory): Multiple Sql Injection Vulnerabilities in ReviewPost PHP Pro
Previous by thread: Re: RFC: virus handling
Next by thread: Re: RFC: virus handling
Index(es):
- Date
- Thread