Hi Paul,
At 05:19 09-07-2004, Paul Smith wrote:
If an email virus scanner saw an email like this
------------Cut here-----------
Subject: failed message
From: postmaster(_at_)somewhere(_dot_)com
X-comment: Note - no MIME headers at all
Your message failed because we didn't like it, here's the original message:
[snip]
Would you expect a virus scanner to detect the virus? Should it try? My
thinking is that the virus is actually just a gump of larbled text so why
should a virus scanner detect it (let's ignore the fact, for now, that the
bounce message shouldn't contain the attachment at all, we all know that
some servers do that). If the bounce message was structured so that the
original message was in a message/rfc822 section, then, yes, I'd say a
virus scanner should detect it, but in this case, the bounce message is
unstructured plain text, and no email client SHOULD show the 'attachment'
as an attachment, because it isn't one.
There was a time when email was about being conservative with what we send
and liberal with what we accept. Nowadays, it is the reverse. There are
MTAs bouncing messages with the viral attachment included. This behavior
can only foster the spread of viruses.
Although the MUA should not show the 'attachment' as an attachment because
it isn't one, you will come across MUAs that do that. The 'fix', if we can
call it that, is to have the virus scanner detect this gump of garbled text
as suspicious content if there is even the slightest risk. Relying on the
MUA to do the right thing is a recipe for disaster.
Regards,
-sm
http://www.qubic.net
Web Infrastructure Solutions