[unisog] SMTP and IDP - a question for the SMTP gurus

Stephen C Woods scw at seas.ucla.edu
Thu Feb 12 19:24:46 GMT 2004


  Well our mailscanners accept everything and then scan. so that's not
an issue.  If the recieving agent sends back a 550 the sending machine
should discard the message. 
   Virus messages (at least MyDoom and Klez) use their own MTA and it
contacts the target directly with one message per delivery.
<scw>

On Wed, Feb 11, 2004 at 09:23:25AM -0500, Gary Flynn wrote:
> 
> Short version:
> 
> Does a mail server that has multiple messages to
> deliver to a particular destination server deliver
> all those messages in one session?
> 
> Long version:
> 
> A couple mornings the past couple weeks, our mail server
> has been slammed by incoming MyDoom messages at the start
> of the work day. The AV scanning drives the CPU utilization
> way up and performance suffers.
> 
> IDP devices have signatures to detect known viruses
> in incoming SMTP sessions. However, I'm worried what
> will happen if the sending server has more than one
> message to deliver. Does an SMTP server that has
> multiple messages bound for a destination server
> deliver those in one TCP session in a sequence of
> RCPT TO: commands?
> 
> For example:
> 
> Suppose MailServerA has three messages to deliver to JMU.
> The first one in the queue is infected. As the server tries
> to deliver that first message, it is detected by an IDP and
> the session is dropped. This would seem to prevent further
> messages from being delivered. If the server retries, the
> virus message will still be first in the queue and the
> results will repeat.
> 
> Of course, if the server creates a new SMTP connection
> for each message, this scenario is not valid and I'm
> worried over nothing.
> 
> Thoughts?
> 
> thanks,
> -- 
> Gary Flynn
> Security Engineer - Technical Services
> James Madison University
> 
> 

-- 
-----
Stephen C. Woods; UCLA SEASnet; 2567 Boelter hall; LA CA 90095; (310)-825-8614
Unless otherwise noted these statements are my own, Not those of the 
University of California.                      Internet mail:scw at seas.ucla.edu



More information about the unisog mailing list