but the SMTP server doesn't have any way of knowing that the mail
was a virus. and it shouldn't have to suck down the message just
for the purpose of finding out.
Yes, the MTA would not know upfront whether it is a mail with virus,
and it would need to receive all of the mail to find out whether it
is. I think we agree on that. Whether it then is advisable to do that
can be discussed, my opinion is that we should recommend this.
My opinion is that we should recommend exactly the opposite - that
sites should always reject mail before DATA if they have enough
information to do that. The impact of sucking down all messages just to
do a virus is considerable. And error reporting is much more reliable
if the error indication is returned in response to SMTP MAIL or RCPT
than if it is returned as a bounced mail message.
There are better ways to discourage viruses than to expect SMTP servers
to accept, detect, and discard them.