From owner-freebsd-security  Wed Mar 14  8:30:49 2001
Delivered-To: freebsd-security@freebsd.org
Received: from w2xo.pgh.pa.us (18.gibs5.xdsl.nauticom.net [209.195.184.19])
	by hub.freebsd.org (Postfix) with ESMTP id 7B0F237B719
	for <freebsd-security@FreeBSD.ORG>; Wed, 14 Mar 2001 08:30:40 -0800 (PST)
	(envelope-from durham@w2xo.pgh.pa.us)
Received: from shazam (shazam [192.168.5.3])
	by w2xo.pgh.pa.us (8.11.2/8.9.3) with ESMTP id f2EGTmq44176;
	Wed, 14 Mar 2001 16:29:52 GMT
	(envelope-from durham@w2xo.pgh.pa.us)
Date: Wed, 14 Mar 2001 11:31:05 -0500 (EST)
From: Jim Durham <durham@w2xo.pgh.pa.us>
X-Sender: durham@shazam.int
To: "Bruce M. Walker" <bmw@borderware.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Sophos and Virus return mail
In-Reply-To: <200103141308.f2ED84E11909@fusion.borderware.com>
Message-ID: <Pine.BSF.4.21.0103141119450.1452-100000@shazam.int>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Wed, 14 Mar 2001, Bruce M. Walker wrote:

> Jim Durham wrote:
> > 
> > I thought of rewriting the script to use the "From: " address
> > to reply. I think that would usually work, but I'm not sure
> > that address always appears either.
> 
> Unhappily not:
> 
>   From: Hahaha <hahaha@sexyfun.net>
> 
> You can see the IP of the host that sent it to you in the Received:
> headers if you inspect them, but that will be simply the Windows
> PC that itself has been infected.  Snowhite contains a complete
> SMTP send-only implementation and it delivers to its targets directly.
> 
> I'm afraid you're stuck with these things.
> 
> (This is one case where blocking of port 25 by ISPs is a good thing.)
> 
> -bmw

Yes, SnowWhite is probably a bad example, as, like you say, it
doesn't generate a replyable "From:" address. I didn't ask
my question correctly. Some Viruses generate no envelope
"from" but *do* generate a "From: ". I was thinking about
the ramifications of changing the script to use the "From: "
if the envelope is not there.

SO...  

if (from)... reply to from

else if (From: ) reply to From:

else reply to MAILER-DAEMON  (sigh...)


Another thing that might be done is ... and I've done this by hand
a couple times, which gets old... dig out the "ppp-4027dialup@bigisp.net"
and the time from the headers and generate a reply to:
"abuse@bigisp.net". Giving the time of the abuse and the dialup.

Maybe if we started using 

Sadly, I don't think ISPs pay much attention to "abuse" e-mail, though.
(Another sigh). I've never gotten a response to an abuse report.

This "Virus in your mail to:" stuff gets old..

Yes, I knew what you meant about port 25.. no need to explain.
Brains are much faster than fingers..


Jim Durham



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message