[Top] [All Lists]

Re: Virus scanning non-structured emails

2004-07-09 07:37:55

--On Friday, 09 July, 2004 15:00 +0100 Paul Smith
<paullocal(_at_)pscs(_dot_)co(_dot_)uk> wrote:

At 14:10 09/07/2004, Valdis(_dot_)Kletnieks(_at_)vt(_dot_)edu wrote:

*MY* thinking is in line with yours - if the lack of MIME is
that broken, the virus scanner shouldn't bother.  However,
there's 2 points to remember:

1) the MUA may be silly enough to attempt message reassembly,
or auto-parse any HTML/Javascript found in the message (even
though it is a text/*PLAIN* by default) - remember we live in
a world where "helpful" MUAs will find executable code
*inside a .JPG* and run it for you...

Yes, that's my concern.

(The thing that brought this issue up was that the virus
scanning function in our MTA isn't currently detecting a virus
in the email, but the same virus scanning engine with its
'scan inside mailbox' option enabled IS detecting a virus in
the mail file. So, obviously we're getting complaints that our
MTA scanner isn't working.)

I've thought about it and I really can't see any sensible way
to actually scan the message.. It looks as if the virus
scanning engine is just looking for the text
'Content-Transfer-Encoding:' anywhere in the message text and
is trying to decode the following text accordingly. This seems
decidedly dodgy to me.


It really isn't dodgy if you have email clients that:

        * Opens things, or can be configured to do so, only
        according to content-type, not file names or heuristics
        on content.  
        * If it is willing or able to open things on a
        non-content-type basis, it does so only after warnings
        and has options to configure in virus scanning of the
        body part as part of the opening process.

        * and, of course, uses a limited-capability mechanism to
        read/ open any HTML or similarly dangerous ("capable")
        body parts.

I'm not a security expert but, from my observation of how
malware spreads, use of any mail client that doesn't have that
set of capabilities and behavior is just an invitation to
trouble, which will probably arrive.  In the current Internet
environment, it is an invitation to malware -- more or less the
equivalent of walking around with a "kick me" sign on one's back
-- whether virus scanners are present or not.

And, for the specific example you give, yes, if you are
expecting the MTA to protect MUAs from bad things happening, the
capabilities associated with the MTA, and the assumptions those
capabilities make, have to be well-matched to the MUA.
Specifically, if the MTA-based scanner works on a content-type
basis only, then the MUA needs to work on a content-type basis
only.  If not, you need to upgrade (or get rid of) one or the