At 17:29 09/07/2004, Keith Moore wrote:
Actually it's the other way around.
It's irresponsible (and a violation of the MIME standard) to produce
mail user agents that present potentially-harmful content. It's bad
enough that they present harmful content in well-formed MIME body parts;
even worse when they make extra effort to find harmful content that
isn't properly formatted or labelled and try to present _that_.
(Before people start casting nasturtiums on MUAs :-) )
I've just tested both Outlook Express and Outlook with both my 'faked'
virus message, and the original message I was sent that prompted my
original message, and neither of them found an attachment in either of the
emails - both just saw the base64 encoded attachments in the plain text
message as a lump of gibberish text (as they should have done)
It would be interesting to see if any other MUAs are broken enough to find
an attachment in my little test message I sent to the list, but the ones
which most people claim are the most broken worked properly in that case.
(I can see cases around the edge being treated as attachments by the MUA,
and being missed by a virus scanner which sticks strictly to the MIME
standards, but this is pretty clearly a plain text message which just
happens to contain the same text as a BASE64 encoded virus)
I'd be concerned about a virus scanner trying to find things in emails
which aren't there - it could potentially lead to a DoS on the virus
scanner whilst letting a compliant MUA ignore the 'non-attachment' and open
a truly infected attachment. (I can't see how this could happen, but some
virus writers can be ingenious..)
Paul VPOP3 - Internet Email Server/Gateway
support(_at_)pscs(_dot_)co(_dot_)uk http://www.pscs.co.uk/