[Dshield] Form Letter: Please stop bouncing virus infected emails
Jon R. Kibler
Jon.Kibler at aset.com
Mon Mar 8 15:15:47 GMT 2004
Good Monday Morning Everyone!
Well, FINALLY a Monday without a major new virus in the wild -- at least not yet!
I have received a couple of requests to post the form letter we use to complain about the bouncing of virus infected emails. Please feel free to use and/or modify it to suit your needs. (Be sure you include full headers of the bounce message with your complaint.)
Comment/Recommendation: There is NO legitimate reason to be bouncing virus infected emails. However, many mail systems still do so. The only way that we will be able to stop this practice is if enough people complain. I HIGHLY recommend that every time you receive a bounced virus, write the postmaster and abuse addresses for the MTA that generated the bounce.
Jon R. Kibler
Chief Technical Officer
Charleston, SC USA
"STOP BOUNCING VIRUSES" FORM LETTER:
To: postmaster@ abuse@
Subject: Please stop bouncing virus infected emails!
Dear Postmaster and Abuse:
PLEASE stop bouncing virus infected emails!
First, we acknowledge that the RFCs require you to bounce such
messages to their envelope sender. But, let's face it -- the
RFCs have been outdated by changes in the real world. Its time
we change the standards.
Here are several reasons you should not be bouncing virus infected
1) Most likely, the sending email address is forged, so the user
that appears to be sending the notice is not the the actual
sender, and thus, not the infected system.
2) If the email is bounced to a real user's email address, you
are only serving to spread the virus.
3) If you bounce the message to a valid domain, but to a
non-existent user, then your bounce will be bounced (a
"double bounce"), and a lot of MTAs do not handle double
bounces well -- especially if the double bounce is to a
4) You are wasting a lot of your local systems' resources, a lot
of network resources, and a lot of other systems' resources.
So what should you do? A couple of options:
1) Simply log the fact you received a virus infected message, then
2) Or, log the fact you received a virus infected message,
quarantine the entire message, and notify the postmaster.
3) If you want to notify somebody, it should be the abuse contact
for the IP address of the connecting MTA (and not the abuse
address for the domain of the envelope sender or recipient!).
One other thing not to do (unless you like filling your users' inboxes
full of junk): Do not strip the infected attachment from the email and
send the rest of the message on to the recipient. Discard or quarantine
the entire message!
Thank you for your IMMEDIATE attention to this matter. We trust that
we will not be receiving additional viruses bounced by your systems.
Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.
More information about the list