[unisog] Handling Rejected eMail Notifications

Michael D. Sofka sofkam at rpi.edu
Fri Apr 12 16:31:14 GMT 2002

At 01:26 PM 4/10/2002 -0400, Gary Flynn wrote:

>Do you send notification messages about email that isn't
>delivered due to viruses or attachment types?

Yes, if the sender address looks valid.   On my short list
is using mysql (with MIMEDefang) to avoid sending multiple
alerts to the same address.   Quite a few addresses bounce
(say, 10%).  When the virus is persistent, this gets annoying.

>Do you change what you do depending upon whether the sender
>is internal or external?

No.  But, we bounce or discard all virus positive email.

>Who do you send the notification to?

The connecting From address.  I may modify this to check
for Reply-To:   (After reading this thread, I see the script
will also have to check that mail
is not bulk, or otherwise coming from a list.  Although, most
lists do not allow members to post so this isn't a huge problem.
Locally, mail is scanned before it gets to the lists machine so
we don't inadvertently send notices to our own lists.)

>If the postmaster of the sending organization, how do you
>determine the sending organization? By the Received: entry's
>sending computer's IP address/domain?

I don't.  It would be nice, but following up on all the attempted
and actual virus sends would be a full time job.

>Do you notify the apparent sender? If so, how are you handling 
>mail generated by viruses such as Klez that spoof all the 
>sender information?

The mail bounces, end of story.  A good faith effort to tell somebody
they have a virus is about the best we can do.  If the virus is persistent
the machine or apparent sender will be blocked using sendmail's access
db.  I may have MIMEDefang automate blocks.

>What information about the blocked message do you include
>in the notification? Are you concerned with possible privacy
>issues particularly if the notification gets sent to the
>wrong party?

The recipient, and the results of Sophos's scan.

>Do you notify the potential recipient(s)?

No.  In many cases this would be as annoying as receiving the
virus.  Some viruses have attempted to send messages to the
same users 1000 times in a day.  (Restricting notices to just
once per sender only begs the day when a virus changes
apparent senders once per message.)

When I first started virus scanning I quarantined the messages,
and not once did I ever see a virus included in a legitimate message.
Usually the virus generates it's own bogus message, and attaches a file
the user would probably rather not have sent.  Blocking does both
sender and recipient a favor.  Besides, if the mail is still getting through
(with virus removed) the sender has less incentive to get their machine


Your welcome.


>Gary Flynn
>Security Engineer - Technical Services
>James Madison University
>Please R.U.N.S.A.F.E.

Michael Sofka                          sofkam at rpi.edu
CCT Sr. Systems Programmer  email, webmail, listproc, TeX, epistemology.
Rensselaer Polytechnic Institute, Troy, NY.    http://www.rpi.edu/~sofkam/

More information about the unisog mailing list