[unisog] SMTP and IDP - a question for the SMTP gurus

Stephen C Woods scw at seas.ucla.edu
Thu Feb 12 19:24:46 GMT 2004

  Well our mailscanners accept everything and then scan. so that's not
an issue.  If the recieving agent sends back a 550 the sending machine
should discard the message. 
   Virus messages (at least MyDoom and Klez) use their own MTA and it
contacts the target directly with one message per delivery.

On Wed, Feb 11, 2004 at 09:23:25AM -0500, Gary Flynn wrote:
> Short version:
> Does a mail server that has multiple messages to
> deliver to a particular destination server deliver
> all those messages in one session?
> Long version:
> A couple mornings the past couple weeks, our mail server
> has been slammed by incoming MyDoom messages at the start
> of the work day. The AV scanning drives the CPU utilization
> way up and performance suffers.
> IDP devices have signatures to detect known viruses
> in incoming SMTP sessions. However, I'm worried what
> will happen if the sending server has more than one
> message to deliver. Does an SMTP server that has
> multiple messages bound for a destination server
> deliver those in one TCP session in a sequence of
> RCPT TO: commands?
> For example:
> Suppose MailServerA has three messages to deliver to JMU.
> The first one in the queue is infected. As the server tries
> to deliver that first message, it is detected by an IDP and
> the session is dropped. This would seem to prevent further
> messages from being delivered. If the server retries, the
> virus message will still be first in the queue and the
> results will repeat.
> Of course, if the server creates a new SMTP connection
> for each message, this scenario is not valid and I'm
> worried over nothing.
> Thoughts?
> thanks,
> -- 
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University

Stephen C. Woods; UCLA SEASnet; 2567 Boelter hall; LA CA 90095; (310)-825-8614
Unless otherwise noted these statements are my own, Not those of the 
University of California.                      Internet mail:scw at seas.ucla.edu

More information about the unisog mailing list