In article , David F. Skoll wrote: :I think the other responses to your question pretty much back up :our position. Cisco's "SMTP fixup" option is disruptive, invasive, :badly thought-out, badly implemented, irritating, and useless from :a security perspective.
A small anecdote on the way to a point:
We got joe-jobbed a few weeks ago on a major spam run (the replica watches one). 67000 bounce messages to us over 36 hours, mostly for accounts that no longer existed, so you can figure that the run was probably pretty close to a million pieces when it went out. My hand-crafted sendmail anti-spam measures (which spawn about 8 different perl processes per message) couldn't keep up, so I had to replace sendmail with qmail and have all nearly all incoming messages dumped into a pool for later sorting. Had to develop sorting tools too, sigh.
The PIX smtp 'fixup' would not have helped nor hindered this spam bounce run, as each of the bounce messages was RFC822 compliant.
Anyhow, after spending a few days developing sorting tools to extract the useful messages from the slush (and it did so happen that we received an unusually high number of useful messages that day), I happened to notice that one of the messages we received was entitled "I love you". [We've seen at least three more of those since then.]
That is to say, there are still systems out there that are infected with the "I love you" virus... a virus that was current in May 2000.
Now, as far as I know, Cisco's STMP fixup doesn't protect you against the "I love you" virus, but what it does protect you against is attacks of roughly the same genre -- it protects you against attacks that no-one has bothered to undertake seriously for years because the underlying bugs to be exploited were patched years and years ago.
But, hey, if your mail server hasn't had a software upgrade since 1989, then the "smtp fixup" could be useful in protecting you from viruses kept alive in fourth-world backwoods where operating systems haven't been upgraded or secured since Windows 95.
Why are such systems on the 'net? Well it wasn't long ago at all (mere weeks) that we had someone in one of the security newsgroups who claimed to be an expert in MS security, who used a MS version pretty much that old, on the basis that he knew what he was getting into, and that software that old was less likely to be targetted for new exploits than the now much more common Windows XP.
And truth to tell, I find it difficult to recommend to my relatives that they upgrade from Windows ME to XP -- they'd need to buy a faster computer (which they don't have the money for), and they don't have any use for the newer facilities introduced in W2K or XP... it'd be strictly an expensive upgrade to patch security holes.