[Asrg] Meta channel, not bounces

[Chris Lewis]

Alessandro Vesely wrote:

> Chris said their filter is not able to distinguish viruses from 
> generic malware.

That should be read to mean "not in general", as opposed to "never".

> Having an appropriate error message is not enough. It is also 
> necessary to deliver that message to the right operator.

Thus becoming a DDOS vector.

> Some large sites have established feedback loops whereby a message is 
> "bounced" to some postmaster. Apparently, they are mainly meant for 
> "this is spam" actions. However, the ARF format (quite similar to DSN) 
> provides fields for reporting bad DKIM signatures. I don't know at 
> what level such bounces could be generated. It is technically possible 
> to generate them right after the data transfer, just like for viral 
> content. If we recognize that viruses are a problem, don't they 
> deserve using that meta channel as well? This leaves us wondering how 
> can such a meta channel be established for small and medium sites as 
> well...

Thus becoming a DDOS vector.

Went through this conversation on another list recently.

It is technically possible (in fact trivial in many cases) to instrument
a MTA to automatically generate and send ARF in real time.  Even
assuming that the MTA can figure out the _right_ place to send the ARF,
it becomes a WMD.

Imagine, if you will, everybody did it.  Some moderately sized site gets
a reasonably prolific (single) infection, and spews out a few million
viruses.  You're expecting the site's MTAs to handle a few million ARFs,
when only one _should_ suffice.

If broadly implemented, it'd cause global meltdown.

God help us all if the site receiving the ARF somehow doesn't recognize
it as ARF, and replies with its own ARFs.  Or, if the virus writer
figures out a way to get the ARF generators to send it to the wrong
place - believe me, they'd be trying...

ARF is good stuff.  But only insofar as there is limitations on how it's
emitted/deployed.