[unisog] SMTP and IDP - a question for the SMTP gurus

Matt Crawford crawdad at fnal.gov
Thu Feb 12 22:10:59 GMT 2004


On Feb 11, 2004, at 8:23 AM, Gary Flynn wrote:
> IDP devices have signatures to detect known viruses in incoming SMTP 
> sessions. However, I'm worried what will happen if the sending server 
> has more than one message to deliver. Does an SMTP server that has 
> multiple messages bound for a destination server deliver those in one 
> TCP session in a sequence of RCPT TO: commands?

It may.  If it's one message to many recipients you get a lot of RCPT 
commands.  If it's multiple messages to one forwarder or destination, 
you usually see

HELO
MAIL
RCPT
DATA
RSET
MAIL
RCPT
DATA
RSET
MAIL
RCPT
DATA
QUIT

If the receiving SMTP gives a failure code to the RSET, then the client 
SMTP QUITs and opens a new conenction.

> Suppose MailServerA has three messages to deliver to JMU. The first 
> one in the queue is infected. As the server tries to deliver that 
> first message, it is detected by an IDP and
> the session is dropped. This would seem to prevent further messages 
> from being delivered. If the server retries, the virus message will 
> still be first in the queue and the results will repeat.

Ah, the merry mixups that result from trying to solve an application 
layer problem in the network layer ... or vice-versa.



More information about the unisog mailing list