[Top] [All Lists]

Re: Virus scanning non-structured emails

2004-07-09 06:10:49
On Fri, 09 Jul 2004 13:19:09 BST, Paul Smith 
<paullocal(_at_)pscs(_dot_)co(_dot_)uk>  said:

Would you expect a virus scanner to detect the virus? Should it try? My 
thinking is that the virus is actually just a gump of larbled text so why 
should a virus scanner detect it (let's ignore the fact, for now, that the 
bounce message shouldn't contain the attachment at all, we all know that 
some servers do that). If the bounce message was structured so that the 
original message was in a message/rfc822 section, then, yes, I'd say a 
virus scanner should detect it, but in this case, the bounce message is 
unstructured plain text, and no email client SHOULD show the 'attachment' 
as an attachment, because it isn't one.

*MY* thinking is in line with yours - if the lack of MIME is that broken,
the virus scanner shouldn't bother.  However, there's 2 points to remember:

1) the MUA may be silly enough to attempt message reassembly, or auto-parse
any HTML/Javascript found in the message (even though it is a text/*PLAIN*
by default) - remember we live in a world where "helpful" MUAs will find
executable code *inside a .JPG* and run it for you...

2) You didn't *seriously* expect a virus scanner to pass up a chance to find
a virus and send a spam^H^H^H^Hnote to the almost-certainly-forged From:
advertising its glorious feats of virus detection, did you?

Attachment: pgppKDuyxEit3.pgp
Description: PGP signature