[Top] [All Lists]

Re: Virus scanning non-structured emails

2004-07-09 11:15:23

Hi Paul,
At 05:19 09-07-2004, Paul Smith wrote:
If an email virus scanner saw an email like this

------------Cut here-----------

Subject: failed message
From: postmaster(_at_)somewhere(_dot_)com
X-comment: Note - no MIME headers at all

Your message failed because we didn't like it, here's the original message:


Would you expect a virus scanner to detect the virus? Should it try? My thinking is that the virus is actually just a gump of larbled text so why should a virus scanner detect it (let's ignore the fact, for now, that the bounce message shouldn't contain the attachment at all, we all know that some servers do that). If the bounce message was structured so that the original message was in a message/rfc822 section, then, yes, I'd say a virus scanner should detect it, but in this case, the bounce message is unstructured plain text, and no email client SHOULD show the 'attachment' as an attachment, because it isn't one.

There was a time when email was about being conservative with what we send and liberal with what we accept. Nowadays, it is the reverse. There are MTAs bouncing messages with the viral attachment included. This behavior can only foster the spread of viruses.

Although the MUA should not show the 'attachment' as an attachment because it isn't one, you will come across MUAs that do that. The 'fix', if we can call it that, is to have the virus scanner detect this gump of garbled text as suspicious content if there is even the slightest risk. Relying on the MUA to do the right thing is a recipe for disaster.

Web Infrastructure Solutions