On Tue, Jan 13, 2009 at 05:22:16PM +0100, Alessandro Vesely wrote:
Ah, gotcha. I agree that silently swallowing the message might have
spared B a possible infection, but I'm reluctant to blame A's MX for
this: it didn't originate, accept or transfer the malware-laden message.
A's MX knows that M lacks effective anti-virus filtering. Hence, through
inaction, it allowed a human being to come to harm. That obviously breaks
the first law.
But none of this is necessarily true.
- While I'm not overly conversant in the nuances of anti-virus
systems (I prefer to use operating systems relatively unaffected
by them) I'm under the impression that there's wide variability
in the detection of various strains by different AV products.
So it might not be the case that M lacks effective anti-virus
filtering; it may well be the case that A's MX was simply fortuitous
enough to be presented with a specimen that it detected while
M did not. It may even be the case that this is the exception
to the rule -- that is, that M's virus detection is in fact
markedly better than that at A's MX, but the latter simply got lucky.
- Add to the discussion above the dependency of many (most?)
anti-virus products on signature databases which must be updated
rather frequently in order to deal with fast-propagating malware.
It may be the case that M is in fact running the same anti-virus
product as A's MX, but is mere minutes behind in updating.
- A human being won't necessarily be harmed by this. For starters,
there's no way to know that the message will be delivered. If the
putative sender is elsewhere, then the mail system there might
detect and reject the message. The putative sender's mail client
may be using an anti-virus product that detects it. Or the putative
sender may never "open" the message (which seems to effectively
defuse most, but not all, of these problems).
- Or the putative sender may not be running a mail client that's
easily hijacked by malware or may not be running an operating system
that's so brittle. (e.g.: mutt on OpenBSD.)
There are still more variables in play here, but I think this is enough to
illustrate why attempting to guess at them is futile. It's best to just
reject the message and content yourself that (a) you've done all you can do
(b) you've emitted a reasonable diagnostic message in case this is a goof
(c) you've minimized the amount of SMTP traffic you're emitting -- a key
factor and (d) you've done something that passes the "what if everyone
did this?" test, another key factor.
---Rsk
_______________________________________________
Asrg mailing list
Asrg(_at_)irtf(_dot_)org
http://www.irtf.org/mailman/listinfo/asrg