[Asrg] where the message originated

[Chris Lewis]

Alessandro Vesely wrote:
> Rich Kulawiec wrote:
>> On Mon, Jan 12, 2009 at 12:42:59PM -0500, der Mouse wrote:
>>> - Malware goes out, addressed to A, (forged) envelope-from B.  Sending
>>>    channel ends up emitting it from a normal MTA, M.
>>>
>>> - A's MX host rejects it at SMTP time.
>>>
>>> - M generates and sends a bounce to B.
>>>
>>> - B receives bounce with embedded malware.  Somehow - perhaps B's MUA
>>>    aggressively looks for and executes live content; perhaps B clicks
>>>    on the wrong thing; perhaps something else - this ends up with a
>>>    malware infestation on B's machine.  (Cue xkcd #350.)
>>>
>>> If A's MX host had silently swallowed the mail, nothing would have
>>> happened to B - or, at least, not on account of this message.
>> Ah, gotcha.  I agree that silently swallowing the message might have
>> spared B a possible infection, but I'm reluctant to blame A's MX for
>> this: it didn't originate, accept or transfer the malware-laden message.
> 
> A's MX knows that M lacks effective anti-virus filtering. Hence, 
> through inaction, it allowed a human being to come to harm. That 
> obviously breaks the first law.

A's MX didn't generate _any_ virus-laden email.  It just 550'd.  The
originator did, and M's mailer is complicit by constructing a new email
(the bounce) that contains the virus-laden email.

A knows its filtering isn't perfect and that every rejection is a
potential FP.  So, the rejection is the best way to ensure that the
appropriate party (if any) is notified.  Blackholing would violate the
first law.

M _should_ know that best practise is now to ensure that the recipient
of the bounce knows enough to know what email bounced, and should
truncate the email to that minimum.  Eg: original recipient, sender (the
recipient of the bounce), date, subject, and perhaps a few other
snippets.  A very large proportion of MTAs now do that by default.