ietf-smtp
[Top] [All Lists]

Re: Virus scanning non-structured emails

2004-07-09 09:30:06

At 15:37 09/07/2004, John C Klensin wrote:

> I've thought about it and I really can't see any sensible way
> to actually scan the message.. It looks as if the virus
> scanning engine is just looking for the text
> 'Content-Transfer-Encoding:' anywhere in the message text and
> is trying to decode the following text accordingly. This seems
> decidedly dodgy to me.

It really isn't dodgy if you have email clients that:

        * Opens things, or can be configured to do so, only
        according to content-type, not file names or heuristics
        on content.

That isn't really what I'm saying..

And, for the specific example you give, yes, if you are
expecting the MTA to protect MUAs from bad things happening, the
capabilities associated with the MTA, and the assumptions those
capabilities make, have to be well-matched to the MUA.
Specifically, if the MTA-based scanner works on a content-type
basis only, then the MUA needs to work on a content-type basis
only.  If not, you need to upgrade (or get rid of) one or the
other.

What the manual virus scanner is doing is seeing the Content-Type: line ANYWHERE in an email message, and processing it

So, it would scan this email message (and find (almost) the EICAR test virus - I changed it a bit so it wouldn't be blocked, hopefully)

Is that what you'd expect to see happening, or should it just be treated as plain text (which it is)

Content-Type: Base64

WDVPIVAlQEFQWzRcUFpYNTQoUG5wN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1URVNU
LUZJTEUhJEgrSCo=

It would be interesting to see if any email clients (or other email virus scanners) can detect that as an attachment...


Paul                            VPOP3 - Internet Email Server/Gateway
support(_at_)pscs(_dot_)co(_dot_)uk                     http://www.pscs.co.uk/