[Dshield] e-mail ettiquette

John D. lists at webcrunchers.com
Thu Aug 21 00:52:19 GMT 2003


>On Wed, 2003-08-20 at 11:23, Johannes B. Ullrich wrote:
>> Just a quick note:
>> 
>> Please make sure that your virus filter is NOT
>> sending notifications to the sender of the virus. Sobig, and most recent
>> viruses, spoof the sender. As a result, innocent people (like myself)
>> are flooded with notifications.
>
>The sanitizer makes a minimal attempt to be "smart" about sender
>notifications: they are only sent if the Received: header chain seems to
>support the sender's domain.
>
>For example, if a worm forged a from address of jhardin at impsec.org, and
>none of the Received: headers indicated an impsec.org relay, then the
>sender notification would be suppressed.

This is NOT a good idea,  because most receiver headers are going to have
reverse DNS strings,  and would normally just be an IP address....   

John





More information about the list mailing list