DISCARD vs. REJECT

[martin f krafft]

--Q68bSM7Ycu6FN28Q
Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

I am using some body_checks now to just drop Swen, Sobig.F and
others. The method used is described here[1], I use Dr. Bieringer's
pattern.

1. http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml

My question is: why should I use REJECT? In regular operation, the
infected machine is its own client, which does not honour REJECT
properly, so nothing happens. But in the event of having something
forwarded (e.g. a at remote.org forwards to b at domain.org), if
only domain.org does this body_check, the MTA at remote.org will
generate a DSN and send it to the envelope sender, who wasn't
responsible for this incarnation to be sent -- the worm fakes the
sender address.

So why not use DISCARD, let the message be accepted, but then drop
it by cleanup. I guess what I really want to know: postfix has to
accept the entire message one way or another, so no traffic volume
is saved. But when using DISCARD rather than REJECT, do I incur
a performance loss, or is it negligible, even on 40k+ mails/day
mailservers?

Thanks!

--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
=20
"a compliment is like a kiss through a veil."
-- victor hugo

--Q68bSM7Ycu6FN28Q
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/b+8mIgvIgzMMSnURAh3hAJ0TqqGfjDy8dUKL9tNeFh6QCrH47gCg4frY
NMhf1jBakGTplj1Agll1pl4=
=StzJ
-----END PGP SIGNATURE-----

--Q68bSM7Ycu6FN28Q--

[Philipp Morger]

DISCARD per se violates RFC821 - it says that it has taken the message
for delivery but looses it willingly... but that's ok for certain
cirsumstances...

It's just, the more things get DISCARDed, the more time consuming it is
to nail down an error in the event regular mail gets catched...

I assume it makes no difference for sibig - if 2 mailservers have
patterns to REJECT mails with the subjects for sobig, it will generate a
double bounce and get discarded - the difference is only the data on the
wire and a few log entries....

regards
Philipp

On Tue, Sep 23, 2003 at 08:58:46 +0200, martin f krafft wrote:
> I am using some body_checks now to just drop Swen, Sobig.F and
> others. The method used is described here[1], I use Dr. Bieringer's
> pattern.
>
> 1. http://www.stahl.bau.tu-bs.de/~hildeb/postfix/postfix_sobigf.shtml
>
> My question is: why should I use REJECT? In regular operation, the
> infected machine is its own client, which does not honour REJECT
> properly, so nothing happens. But in the event of having something
> forwarded (e.g. a at remote.org forwards to b at domain.org), if
> only domain.org does this body_check, the MTA at remote.org will
> generate a DSN and send it to the envelope sender, who wasn't
> responsible for this incarnation to be sent -- the worm fakes the
> sender address.
>
> So why not use DISCARD, let the message be accepted, but then drop
> it by cleanup. I guess what I really want to know: postfix has to
> accept the entire message one way or another, so no traffic volume
> is saved. But when using DISCARD rather than REJECT, do I incur
> a performance loss, or is it negligible, even on 40k+ mails/day
> mailservers?
>
> Thanks!
>
> --

> martin; (greetings from the heart of the sun.)
> \____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
>

> invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
>

> "a compliment is like a kiss through a veil."
> -- victor hugo

--
_;\_ Philipp Morger / PHM2-RIPE System & Network Administrator
/_. \ Dolphins Network Systems AG Phone +41-1-847'45'45
|/ -\ .) Email: <philipp...@dolphins.ch>
-'^`- \; Don't send mail to: pl...@caretaker.dolphins.ch

[martin f krafft]

--d6Gm4EdcadzBjdND

Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

also sprach Philipp Morger <mailingli...@dolphins.ch> [2003.09.23.093=
1 +0200]:

> It's just, the more things get DISCARDed, the more time consuming
> it is to nail down an error in the event regular mail gets
> catched...

Sure, except discard logs quite nicely too.

Is there a significant performance overhead to DISCARD when compared
to REJECT?

--=20

martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck

=20

invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!

=20
windoze 3.1 - the best $89 solitaire game you can buy.

--d6Gm4EdcadzBjdND
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/b/jVIgvIgzMMSnURAlLCAKDkNsO6vx4yHKxrR90G8Yo8mi2g3ACgy3pT
VT4Db/PsjgSbu9xnML467gY=
=kfH0
-----END PGP SIGNATURE-----

--d6Gm4EdcadzBjdND--

[Victor....@morganstanley.com]

On Tue, 23 Sep 2003, martin f krafft wrote:

> also sprach Philipp Morger <mailingli...@dolphins.ch> [2003.09.23.0931 +0200]:

> > It's just, the more things get DISCARDed, the more time consuming
> > it is to nail down an error in the event regular mail gets
> > catched...
>
> Sure, except discard logs quite nicely too.
>
> Is there a significant performance overhead to DISCARD when compared
> to REJECT?
>

NO. Use DISCARD when you have a precise signature for a mass-mailer worm.

--
Viktor.

[Tony Earnshaw]

Victor....@morganstanley.com wrote:

> NO. Use DISCARD when you have a precise signature for a mass-mailer wor=
m.

Or not, as the case may be. Use smtp reject, if you should decide to=20
adopt use of the snapshot proxy.

*USE SMTP REJECT RATHER THAN DISCARD*. You have accepted responsibility=20
for mail. It does not matter how or what, by accepting any mail, you=20
have accepted responsibility for it. You can not simply accept mail and=20
then discard it, whilst not notifying the relay from which you have=20
accepted it.

O.k., so the relay is a hoax. O.k., so the relay does not exist in=20
practice. There are rfc rules for the above. You can not choke your wife=20
to death because you do not like her any more. That is what divorce is fo=
r.

By accepting *ANY* mail, just as any mail relay does, you have accepted=20
responsibility for delivery. If you do not wish to accept=20
responsibility, then your intention and reason should be stated plainly,=20
in such manner, that the consigner should be left in no doubt.

Never discard mail. If you do so, you have negated your responsibility=20
to the community.

The foot-postman cannot be bothered to deliver mail in his bag, so he=20
chucks it into the nearest trash bin. The foot-postman gets the sack.

This at the end of a long and economically extremely expensive day of=20
beating Swen. *And I beat him*. Things are back to normal. Not that=20
Swen's gone away, he just does not bother me any more.

--Tonni

--=20
Tony Earnshaw

Millom kaksar eg litet kann trivast, millom jamningar helst er eg n=F8gd

http://www.billy.demon.nl
Mail: to...@billy.demon.nl

[Victor....@morganstanley.com]

On Tue, 23 Sep 2003, Tony Earnshaw wrote:

> Victor....@morganstanley.com wrote:
>
> > NO. Use DISCARD when you have a precise signature for a mass-mailer worm.

>
> By accepting *ANY* mail, just as any mail relay does, you have accepted

> responsibility for delivery. If you do not wish to accept

> responsibility, then your intention and reason should be stated plainly,

> in such manner, that the consigner should be left in no doubt.
>

Read the first line carefully: "a precise siganture for a mass-mailer
worm". I can choose to (and advise others to also) responsibly deliver it
to /dev/null. Over and out.

--
Viktor.

[Postfix At Techie]

To add to this,
If spammers/viruses are not playing by rfc rules, why should we?
I accept full responsibility for mails from hotmail.com, as long as they
come FROM hotmail.com.

I donttake any responsibilty for emails comginfrom hotmail.com FROM
adsl-xxx-xxx-xxx-xxx.pacbell.net

Jaysam

[Derrick 'dman' Hudson]

--ew6BAiZeqk4r7MaW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 23, 2003 at 07:32:55PM +0200, Tony Earnshaw wrote:
| Victor....@morganstanley.com wrote:

|=20

| >NO. Use DISCARD when you have a precise signature for a mass-mailer worm.

| *USE SMTP REJECT RATHER THAN DISCARD*.
[...]

| The foot-postman cannot be bothered to deliver mail in his bag, so he=20
| chucks it into the nearest trash bin. The foot-postman gets the sack.

If the foot-postman notices explosives in a package mail, and fails to
deliver it he will be commended. Should this postman, after seeing
the explosives have placed it in the neighbor's mailbox? (say, for
example, their address was the return address)

If you have identified the malware, throw it away. Don't throw it at
someone else. That is rather like a food-fight in elementary school:
someone notices an unpleasant item on their table and so throws it at
the kid sitting at the next table. Rather than throw it away, the
second kid throws it at the next table. The responsible action is to
throw away the refuse, not throw it at someone else.

(FWIW I have discarded just as many copies of swen/gibe[1] in the past
couple days as I have rejected spam attempts)

-D

[1] I don't know specifically because I discard all windows
executables because I know that, on my non-windows system, I will
never receive a "legit" windows executable. With a single user at
this domain; 464 windows exe's were discarded, a full 35% of the
mail traffic; an additional 30% (397 messages) were rejected by
other anti-UCE measures.

--=20
(A)bort, (R)etry, (T)ake down entire network?
=20
http://dman13.dyndns.org/~dman/

--ew6BAiZeqk4r7MaW
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/cJXFiB6vp1xAVUARAgAiAJ0XmnfLnjyhVZyf6hVzdz6XX0LveQCfaWKx
wH4rviI8UA94YqdqJNuYlYw=
=owfq
-----END PGP SIGNATURE-----

--ew6BAiZeqk4r7MaW--

[Justin Boswell]

On 09.23 14:49, Derrick 'dman' Hudson wrote:
> On Tue, Sep 23, 2003 at 07:32:55PM +0200, Tony Earnshaw wrote:
> | Victor....@morganstanley.com wrote:
> |
> | >NO. Use DISCARD when you have a precise signature for a mass-mailer worm.
>
> | *USE SMTP REJECT RATHER THAN DISCARD*.
> [...]
>
> | The foot-postman cannot be bothered to deliver mail in his bag, so he

> | chucks it into the nearest trash bin. The foot-postman gets the sack.
>
> If the foot-postman notices explosives in a package mail, and fails to
> deliver it he will be commended. Should this postman, after seeing
> the explosives have placed it in the neighbor's mailbox? (say, for
> example, their address was the return address)

Kind of stretching the analogy a bit far, but ok :)

I think this argument can go both ways and could go on forever. On one
hand, rejecting emails on this criteria is no better than those retarded
"You sent us a virus" notifications, and only serves to increase traffic
during an epidemic. On the other hand, we're an ISP, and we have to
field calls if someone emails one of our users a "legit" .exe and it
disappears. So in that respect, using REJECT gives the external user an
error message. I think the happy compromise is to REJECT general cases,
like all .exe files, and to DISCARD only when you are 100% sure that
only a virus would match that criteria.

--
Justin Boswell Quantum Internet Services, Inc.
jbos...@qis.net http://www.qis.net/jboswell
410-239-6920 Current spam trap: qstjb8...@qis.net

[Tony Earnshaw]

Victor....@morganstanley.com wrote:

> Over and out.

Meester.

[Bob Snyder]

On Tuesday 23 September 2003 09:49 am, Victor....@morganstanley.com
wrote:

> NO. Use DISCARD when you have a precise signature for a mass-mailer worm.

I would use DISCARD for virus/malware that I know fakes the From header like
Sobig. Swen doesn't, so I use REJECT with text pointing to a Swen description
website so that maybe the infected person has a chance to get a clue.

Bob

[Vivek Khera]

>>>>> "BS" == Bob Snyder <rsn...@toontown.erial.nj.us> writes:

BS> On Tuesday 23 September 2003 09:49 am, Victor....@morganstanley.com
BS> wrote:

>> NO. Use DISCARD when you have a precise signature for a mass-mailer worm.

BS> I would use DISCARD for virus/malware that I know fakes the From
BS> header like Sobig. Swen doesn't, so I use REJECT with text

Are you sure it doesn't? I had to add it to my discard list of
viruses -- I got at least one complaint about it.

[Juan Nin]

On Tue, 2003-09-23 at 17:36, Vivek Khera wrote:

> BS> I would use DISCARD for virus/malware that I know fakes the From
> BS> header like Sobig. Swen doesn't, so I use REJECT with text

>=20

> Are you sure it doesn't? I had to add it to my discard list of
> viruses -- I got at least one complaint about it.

At least at http://www.symantec.com/avcenter/ it doesn=B4t say that it fo=
rges addresses..

Juan

[Bob Snyder]

On Tuesday 23 September 2003 04:36 pm, Vivek Khera wrote:

> BS> I would use DISCARD for virus/malware that I know fakes the From
> BS> header like Sobig. Swen doesn't, so I use REJECT with text
>

> Are you sure it doesn't? I had to add it to my discard list of
> viruses -- I got at least one complaint about it.

I believe it Fakes the "From:" field in the mail, but the SMTP headers seem
valid, based on the messages I've seen... No discernable pattern (eg,
admin@), the domain in the Mail From: is valid for the server trying to
connect, etc...

Bob

[martin f krafft]

--YiEDa0DAkWCtVeE4

Content-Type: text/plain; charset=iso-8859-15
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

> error message. I think the happy compromise is to REJECT general cases,

> like all .exe files, and to DISCARD only when you are 100% sure that
> only a virus would match that criteria.

This sounds like what I was thinking. So I guess the question is:

I have 80 characters of consecutive MIME base64 encoding. How likely
is it that a different, legitimate file will have exactly that same
line?

/^HJSF8976LKL.....POSOPI238UL$/

is what I am talking about.

--=20
martin; (greetings from the heart of the sun.)
\____ echo mailto: !#^."<*>"|tr "<*> mailto:" net@madduck
=20
invalid/expired pgp subkeys? use subkeys.pgp.net as keyserver!
=20

"... doch warum sollte nicht jeder einzelne
aus seinem leben ein kunstwerk machen koennen?"
-- michel foucault

--YiEDa0DAkWCtVeE4
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/cM6bIgvIgzMMSnURArs9AJ9Lx4kiZ6SVATZnyW6wvS2qMYSeQQCgwDQx
zM7wx823FnlONxlGuOPMz8M=
=+OZs
-----END PGP SIGNATURE-----

--YiEDa0DAkWCtVeE4--

[Victor....@morganstanley.com]

On Wed, 24 Sep 2003, martin f krafft wrote:

> I have 80 characters of consecutive MIME base64 encoding. How likely
> is it that a different, legitimate file will have exactly that same
> line?
>
> /^HJSF8976LKL.....POSOPI238UL$/

Depends on what those 80 characters decode to. The distribution of strings
in text or executables is not uniform. Some strings are much more common
than others. If you pick the right base64 string, the odds of seeing it
elsewhere will be quite low.

--
Viktor.

[Tomasz Pi³at]

Tony,

Tuesday, September 23, 2003, 7:32:55 PM, you wrote:

>> NO. Use DISCARD when you have a precise signature for a mass-mailer wo=
rm.

TE> *USE SMTP REJECT RATHER THAN DISCARD*. [...]

Maybe this will be helpful:

http://www.ietf.org/internet-drafts/draft-kucharski-email-viruses-00.txt

Ponc
--=20
Tomasz "Poncki" Pi=B3at
AXEL SPRINGER POLSKA Sp. z o.o.

[Derrick 'dman' Hudson]

--vEao7xgI/oilGqZ+

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 23, 2003 at 03:40:25PM -0400, Justin Boswell wrote:
| On 09.23 14:49, Derrick 'dman' Hudson wrote:
| > On Tue, Sep 23, 2003 at 07:32:55PM +0200, Tony Earnshaw wrote:
| > | Victor....@morganstanley.com wrote:

| > |=20
| > | >NO. Use DISCARD when you have a precise signature for a mass-mailer =
worm.
| >=20

| > | *USE SMTP REJECT RATHER THAN DISCARD*.
| > [...]

| >=20
| > | The foot-postman cannot be bothered to deliver mail in his bag, so he=
=20

| > | chucks it into the nearest trash bin. The foot-postman gets the sack.

| >=20

| > If the foot-postman notices explosives in a package mail, and fails to
| > deliver it he will be commended. Should this postman, after seeing
| > the explosives have placed it in the neighbor's mailbox? (say, for
| > example, their address was the return address)

|=20

| Kind of stretching the analogy a bit far, but ok :)

Depends on the platforms of "you" and "the neighbor". (Outlook has a
nasty tendency to explode when encountering such content, though for
other systems spoiled food may be a better analogous content than a
bomb)

| I think this argument can go both ways and could go on forever.

| On one hand, rejecting emails on this criteria is no better than
| those retarded "You sent us a virus" notifications, and only serves
| to increase traffic during an epidemic.

This is precisely the issue. If the sender couldn't be forged then
rejecting wouldn't be a problem.

| On the other hand, we're an ISP, and we have to
| field calls if someone emails one of our users a "legit" .exe and it
| disappears.

| So in that respect, using REJECT gives the external user an error

| message. I think the happy compromise is to REJECT general cases,
| like all .exe files, and to DISCARD only when you are 100% sure that
| only a virus would match that criteria.

I think this is reasonable.

An approach that I am seriously considering trying to implement at
work soon is as follows :
If the content is obvously malware, discard it.
If the content is potentially dangerous, hold it.
Users will receive a daily (email) summary of their held mail,
and have a web interface available to inspect and then either
discard or deliver the message.

This ensures no joe-jobbing because the sender address doesn't receive
anything, and also ensures no "legit" mail is lost. The only
challenge is the web interface part for managing the hold queue.

If/when I get this coded I'll try to release it back to the public.

-D

--=20
"...Deep Hack Mode--that mysterious and frightening state of
consciousness where Mortal Users fear to tread."
(By Matt Welsh)
=20
http://dman13.dyndns.org/~dman/

--vEao7xgI/oilGqZ+
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)

iD8DBQE/c7eQiB6vp1xAVUARAvVsAJ435X0KzkfeUXsUaqZdIgQ4MeFnjQCdE987
AB0wb50P6vGN+HkThPCHAZ8=
=U+VC
-----END PGP SIGNATURE-----

--vEao7xgI/oilGqZ+--

[Jared Watkins]

> If the content is obvously malware, discard it.
> If the content is potentially dangerous, hold it.
> Users will receive a daily (email) summary of their held mail,
> and have a web interface available to inspect and then either
> discard or deliver the message.
>
>This ensures no joe-jobbing because the sender address doesn't receive
>anything, and also ensures no "legit" mail is lost. The only
>challenge is the web interface part for managing the hold queue.
>
>If/when I get this coded I'll try to release it back to the public.
>
>-D
>
>

I've just put code to do this exact thing up on sourceforge this week...
been shaking out the bugs but I think it's about ready to go. It is
written as a plugin for Squirrel Mail... working to control SpamAssassin
via amavis-new. The message quarantine is a big part of it.. with
messages being stored in a postgres database until either released by
the user or automatically purged after a user settable time period.

It's in cvs at cvs.sourceforge.net/cvsroot/sm-plugins/plugins/amavisnewsql/

I should be releasing the first regular tarball in the next few days...

Jared