[Top] [All Lists]

Virus scanning non-structured emails

2004-07-09 05:20:03

Sorry if this isn't the right mailing list for this topic, but it seems the most relevant I can find..

If an email virus scanner saw an email like this

------------Cut here-----------

Subject: failed message
From: postmaster(_at_)somewhere(_dot_)com
X-comment: Note - no MIME headers at all

Your message failed because we didn't like it, here's the original message:


Subject: Your message
From: you(_at_)domain(_dot_)com
MIME-Version: 1.0
Content-Type: multipart/mixed;  boundary="----=_Boundary"

Content-Type: text/plain

My message

Content-Type: application/octet-stream; name="document01.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="document01.exe"

<base64 encoded virus>


------------Cut here-----------

Would you expect a virus scanner to detect the virus? Should it try? My thinking is that the virus is actually just a gump of larbled text so why should a virus scanner detect it (let's ignore the fact, for now, that the bounce message shouldn't contain the attachment at all, we all know that some servers do that). If the bounce message was structured so that the original message was in a message/rfc822 section, then, yes, I'd say a virus scanner should detect it, but in this case, the bounce message is unstructured plain text, and no email client SHOULD show the 'attachment' as an attachment, because it isn't one.

But, what do the panel think?

Paul                            VPOP3 - Internet Email Server/Gateway