[Top] [All Lists]

Re: Virus scanning non-structured emails

2004-07-09 09:50:05

At 17:29 09/07/2004, Keith Moore wrote:
Actually it's the other way around.

It's irresponsible (and a violation of the MIME standard) to produce
mail user agents that present potentially-harmful content.  It's bad
enough that they present harmful content in well-formed MIME body parts;
even worse when they make extra effort to find harmful content that
isn't properly formatted or labelled and try to present _that_.

(Before people start casting nasturtiums on MUAs :-) )

I've just tested both Outlook Express and Outlook with both my 'faked' virus message, and the original message I was sent that prompted my original message, and neither of them found an attachment in either of the emails - both just saw the base64 encoded attachments in the plain text message as a lump of gibberish text (as they should have done)

It would be interesting to see if any other MUAs are broken enough to find an attachment in my little test message I sent to the list, but the ones which most people claim are the most broken worked properly in that case.

(I can see cases around the edge being treated as attachments by the MUA, and being missed by a virus scanner which sticks strictly to the MIME standards, but this is pretty clearly a plain text message which just happens to contain the same text as a BASE64 encoded virus)

I'd be concerned about a virus scanner trying to find things in emails which aren't there - it could potentially lead to a DoS on the virus scanner whilst letting a compliant MUA ignore the 'non-attachment' and open a truly infected attachment. (I can't see how this could happen, but some virus writers can be ingenious..)

Paul                            VPOP3 - Internet Email Server/Gateway

<Prev in Thread] Current Thread [Next in Thread>