vbounce does an increasable job of blocking those pesky backscatters
from networks that do not validate their valid users on the 'bastion '
email server or proxy (and those who still insist on bouncing forged
viruses, or spammers who create phoney email 'bounces')
one of its strengths is also one of its weaknesses.
in order to allow VALID bounces, it compares a set of whitelisted relays
to the part of the original email (headers) included in the bounce.
There comes its weakness.
'bounces' (or things vbounce things are bounces) like vacation, out of
office and read receipt messages match signatures in vbounce, but never
include the original emails.
one more thing, well, many more do this also.
Take automated ticketing systems (like RT). it adds a
Auto-Submitted: auto-generated
header line.
so does bugzilla.
so, ironically (as in both strange AND funny), if you post a bug to
spamassassin's bugzilla, and get an automated email from it, vbounce
marks it as BOUNCE_MESSAGE && ANY_BOUNCE_MESSAGE. happens with emails
from clamav when you submit a signature, and silly people at live (msn
things) when you ask for a password reminder.
I suggest taking things out of vbounce that do not and cannot ever have
the whitelist relays in it.
from a cpu / load standpoint, why bother checking whitelisted relays
against signatures that cannot possibly have whitelist relays in it?
From a maintenance and scoring standpoint, shouldn't the 'other
bounces'/ machine generate emails be in a different file?
Just my thoughts, what say you users who have to use this in production
environments?
(ps, I already posted a suggested patch to vbounce that takes (many) of
the out of office messages out of the BOUNCE_MESSAGE and creates an
OOO_BOUNCE_MESSAGE subsection, and will be experimenting with read
receipt ones also)
Id like to work on patches if there is an agreement as to what makes
good practice. Like to keep it as upward compatible (as in not break
anything) as possible.
--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* King of Spam Filters, SC Magazine 2008
* Information Security Award 2008, Info Security Products Guide
* CRN Magazine Top 40 Emerging Security Vendors
* Finalist 2009 Network Products Guide Hot Companies
_________________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
_________________________________________________________________________
