[Asrg] where the message originated

[Rich Kulawiec]

On Mon, Jan 12, 2009 at 12:42:59PM -0500, der Mouse wrote:
> Well, I didn't write it.  But I interpreted it as, basically, this
> scenario:
> 
> - Malware goes out, addressed to A, (forged) envelope-from B.  Sending
>    channel ends up emitting it from a normal MTA, M.
> 
> - A's MX host rejects it at SMTP time.
> 
> - M generates and sends a bounce to B.
> 
> - B receives bounce with embedded malware.  Somehow - perhaps B's MUA
>    aggressively looks for and executes live content; perhaps B clicks
>    on the wrong thing; perhaps something else - this ends up with a
>    malware infestation on B's machine.  (Cue xkcd #350.)
> 
> If A's MX host had silently swallowed the mail, nothing would have
> happened to B - or, at least, not on account of this message.  (This is
> not to say that _I_ think it's fair to say that A's rejection caused B
> to get infected.  Just that this is what I think Alessandro meant.)

Ah, gotcha.  I agree that silently swallowing the message might have
spared B a possible infection, but I'm reluctant to blame A's MX for
this: it didn't originate, accept or transfer the malware-laden message.
I think responsibility lies with M, and/or with whatever system passed
the message to M (presuming the message didn't originated on M).

While this is a less-than-desirable outcome, I think it may be the best
we can do -- we can't block something before we see it, we can only do
our best to reject outright spam/malware/junk traffic at the earliest
available opportunity.  (One of the ways I've expressed this elsewhere
is that the best place to stop spam is as near its source as possible.
The farther it gets from the origin, the trickier detecting it gets,
and the greater the possible consequences.)

---Rsk