[Dshield] Form Letter: Please stop bouncing virus infected emails

Jon R. Kibler Jon.Kibler at aset.com
Mon Mar 8 15:15:47 GMT 2004

Good Monday Morning Everyone!

Well, FINALLY a Monday without a major new virus in the wild -- at least not yet!

I have received a couple of requests to post the form letter we use to complain about the bouncing of virus infected emails. Please feel free to use and/or modify it to suit your needs. (Be sure you include full headers of the bounce message with your complaint.)

Comment/Recommendation: There is NO legitimate reason to be bouncing virus infected emails. However, many mail systems still do so. The only way that we will be able to stop this practice is if enough people complain. I HIGHLY recommend that every time you receive a bounced virus, write the postmaster and abuse addresses for the MTA that generated the bounce.

Jon K.
Jon R. Kibler
Chief Technical Officer
A.S.E.T., Inc.
Charleston, SC  USA
(843) 849-8214

To: postmaster@ abuse@
Subject: Please stop bouncing virus infected emails!

Dear Postmaster and Abuse:

PLEASE stop bouncing virus infected emails!

First, we acknowledge that the RFCs require you to bounce such 
messages to their envelope sender. But, let's face it -- the 
RFCs have been outdated by changes in the real world. Its time 
we change the standards.

Here are several reasons you should not be bouncing virus infected 
  1) Most likely, the sending email address is forged, so the user 
     that appears to be sending the notice is not the the actual
     sender, and thus, not the infected system.
  2) If the email is bounced to a real user's email address, you 
     are only serving to spread the virus.
  3) If you bounce the message to a valid domain, but to a 
     non-existent user, then your bounce will be bounced (a 
     "double bounce"), and a lot of MTAs do not handle double 
     bounces well -- especially if the double bounce is to a 
     non-existent user.
  4) You are wasting a lot of your local systems' resources, a lot 
     of network resources, and a lot of other systems' resources.

So what should you do? A couple of options:
  1) Simply log the fact you received a virus infected message, then 
     discard it.
  2) Or, log the fact you received a virus infected message, 
     quarantine the entire message, and notify the postmaster.
  3) If you want to notify somebody, it should be the abuse contact 
     for the IP address of the connecting MTA (and not the abuse 
     address for the domain of the envelope sender or recipient!).

One other thing not to do (unless you like filling your users' inboxes 
full of junk): Do not strip the infected attachment from the email and 
send the rest of the message on to the recipient. Discard or quarantine
the entire message!

Thank you for your IMMEDIATE attention to this matter. We trust that
we will not be receiving additional viruses bounced by your systems.


Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list