[Esa-l] SECURITY_NOTIFY_RECIPIENT

Brett Glass brett at lariat.org
Mon Apr 16 19:45:54 PDT 2001


At 08:25 AM 4/16/2001, rcooper wrote:
  
>When enabling SECURITY_NOTIFY_RECIPIENT the recipient does indeed get a 
>message notifying them of the filtered email.  Unfortunately this does not 
>include a transcript of the email headers etc of whom or where the message
>came from.  Thus the recipient is left confused as to who generated the 
>message.  Is there a way to enable this feature to send more information?

Unfortunately, the recipient may not KNOW the sender. This is especially
true in the case of the ubiquitous Hybris worm, which scans every packet
that passes through the Windows Sockets DLL for e-mail addresses and mails
itself to those addresses. The addresses can come from Web pages, from
NetNews, from the cc: lists of other e-mails.... Almost anywhere. What's
more, Hybris has its own mailer which does not reveal the sender's
identity. Under most conditions, the only information that's present
in the message is the sender's IP address and the time the worm was
sent.... Not enough to track down the infected computer without the
help of the sender's ISP.

It's good PR to let the intended recipient know that you've blocked
malware. But don't expect the recipient to be able to glean much from
those headers.

--Brett




More information about the esd-l mailing list