By default, MTAs should not care about the contents of a message. To do so is
a layering violation. The message should be opaque and the MTA should look
only at the envelope. The only "standard" exception is 8bit to 7bit
conversion, which hopefully is rarely an issue these days.
So the fact that a message is "malformed" should not prevent delivery of that
message.
But if MTAs are going to care about contents of messages (say, for the purpose
of filtering spam or viruses, which pretty much everyone will acknowledge as
necessary measures against evil these days), then there will inevitably be
cases where the MTAs are unable to parse those contents, presumably because the
messages are malformed. If the spam or virus filter can reliably tell that the
message is spam or a virus, dropping it is the proper thing to do. But if the
filter cannot tell, or cannot parse the message because it is malformed,
bouncing it is probably better.
The problem of using MIME to send malware exists whether or not the message is
bounced. Bouncing messages, if properly done, does not amplify the problem,
because there should never be more than one bounce address. Either the message
containing malware is delivered (in which case the recipient UA deals with the
threat) or it is bounced (in which case the "return-path" UA deals with the
threat). And again, if properly done, bouncing should not "mask" the source
of the malware, because the Received headers should be present in the returned
content in any case.
Keith
On Apr 15, 2011, at 1:50 PM, Dave Cridland wrote:
On Fri Apr 15 18:38:50 2011, Keith Moore wrote:
Bouncing is absolutely what should happen if the message is merely
malformed. Otherwise, the sender has no idea that his message didn't arrive
(or why), and nothing will ever be done to fix the problem.
But the problem is that the message didn't arrive. The reason is that it's
malformed, but that's not the problem that people care most about. Now, *we*
may care, but that's a wholly different thing, and largely irrelevant to the
average user.
Bouncing has problems too - it's trivial to use such a server to bounce
malformed MIME back to some other address which then processes the MIME and
allows some malware through.
As I said before, differences in error handling behaviour may result in
malware vectors being available. If you standardize the error handling (to
whatever you like - pass through, bounce, or reject) then the net result is
that exploits of this form cannot happen.
Dave.
--
Dave Cridland - mailto:dave(_at_)cridland(_dot_)net -
xmpp:dwd(_at_)dave(_dot_)cridland(_dot_)net
- acap://acap.dave.cridland.net/byowner/user/dwd/bookmarks/
- http://dave.cridland.net/
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade