Stephen C Woods scw at seas.ucla.edu
Thu Feb 12 19:24:46 GMT 2004

  Well our mailscanners accept everything and then scan. so that's not
an issue.  If the recieving agent sends back a 550 the sending machine
should discard the message. 
   Virus messages (at least MyDoom and Klez) use their own MTA and it
contacts the target directly with one message per delivery.

On Wed, Feb 11, 2004 at 09:23:25AM -0500, Gary Flynn wrote:
> Short version:
> Does a mail server that has multiple messages to
> deliver to a particular destination server deliver
> all those messages in one session?
> Long version:
> A couple mornings the past couple weeks, our mail server
> has been slammed by incoming MyDoom messages at the start
> of the work day. The AV scanning drives the CPU utilization
> way up and performance suffers.
> IDP devices have signatures to detect known viruses
> in incoming SMTP sessions. However, I'm worried what
> will happen if the sending server has more than one
> message to deliver. Does an SMTP server that has
> multiple messages bound for a destination server
> deliver those in one TCP session in a sequence of
> RCPT TO: commands?
> For example:
> Suppose MailServerA has three messages to deliver to JMU.
> The first one in the queue is infected. As the server tries
> to deliver that first message, it is detected by an IDP and
> the session is dropped. This would seem to prevent further
> messages from being delivered. If the server retries, the
> virus message will still be first in the queue and the
> results will repeat.
> Of course, if the server creates a new SMTP connection
> for each message, this scenario is not valid and I'm
> worried over nothing.
> Thoughts?
> thanks,
