At 12:39 AM -0800 3/14/03, william(_at_)elan(_dot_)net wrote:
Actually one of my notes was exactly on this issue. I concuded that the
best is to use local filters and separate attachments (such as .exe, .scr,
.bat, etc) from the email and deliver email to recepient without an
attachment but include a instead a note/attachment that it was present
with information on how attachment can be downloaded from the local ISP
server - possibly by using IMAP server with IMAP url indicating exactly
what message to get from the server. This saves time for users when
receiving email over slow connection (dialup) and for well-known viruses,
the users would not even try to download it (plus checking email for
viruses on common IMAP server is easier setup for ISP, since many use unix
servers for mail delivery but most antiviruses run from windows platforms)
1. This breaks HTML email (unless you were planning on guessing which
attachments are currently "safe" and then checking them to see what
they say they are--in which case you might as well just check for
viruses).
As I said - only some attachments like .exe would not be delivered, rest are.
2. This actually makes life worse for the dialup user in the
non-virus case. Dialup. Fetch mail. Disconnect. Try to read mail.
Reconnect. Fetch attachment.
I doubt you receive too many legitimate .exe attachments. I does happen,
but its really rare.
3. While this would protect from auto-executing attachments, I fail
to see why the user that opens a questionable attachment is going to
be any less likely to download it.
That depends how smart user is. Most virus emails are detectable by content
I for one, never got my system infected so far. And having message that
attachment is not delivered by needs to be picked up will make them more
suspicious.
4. You lost me on the windows/unix problem there. First of all, most
major anti-virus vendors *do* offer Unix versions of their
software--they know what platforms are used to deliver email.
Not really. They do offer software that can be used on unix servers but
usually acual core of the antivirus still runs on windows. And most offer
software that works just like I describe - it checks mailboxes by using
POP3 or IMAP.
Secondly, if the IMAP server can run Windows, so can the POP server.
Yes, so? It'll still be easier to scan particular "attachment" folder.
But in any case, unless you are going to install custom MUA software
on all clients, you're going to have to use an HTTP server to handle
downloads. And people aren't very good at managing downloaded files.
Not to mention that once it's downloaded, you just bypassed what
minimal security efforts the email program would have provided to
keep you from executing it.
Again read above - they will see warning that this is executable program
and hopefully think about it. It is better than situation availalble right
now. But it still relies on people being smart enough to see that they do
not need this attachment and it is a fake (unless antivirus cought it in
time).
5. If you're going to install custom software to deal with
attachments--why not just install anti-virus software and be done
with it? (Actually, the reason most vendors don't is that it's not
cheap, and the way the licensing works with some anti-virus vendors
it's possible that a burst of email will cause you to overshoot your
licensing requirements and suddenly you won't be able to process any
email at all.)
The above would not be a problem when attachements are located in separate
folder. The antivirus can have limit on how many attachemnts are checked
per given time and do best it can. Not impossible that some would not be
processed in time before attachment is downloaded but most would be.
Those costs need to be passed on to the end-user.
And since the end-user has already been told a million times that
they need to install anti-virus software, and since email isn't the
only way to get viruses.... Let them do it.)
The main problem is that too many do not do it which causes headaches for
service providers which end up thinking on how to check email on their
end. The reason why some do it is to mimimize their support cost.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg