Re: per user post-data rejects, Processing after the end of DATA

John Levine wrote:
> > "Spam" filters might include virus scanning, too, and the false
> > positive rates on virus scanning have gotten totally out of hand in
> > the past year or so.
> >     
> I believe you, but what kind of AV is going to decide it's a virus for
> one recipient but not for the other?
An AV that's configured with different rules for different recipients. 
Unlikely in firewall/appliance or in a departmental MTA; painfully 
common in hosted / cloud computing.
For example, a hosted security suite might use multiple AV engines, some 
of which work in real time and others that require offline processing. 
The real time filter is more prone to false positives, but can reject at 
the SMTP layer. The offline one is more accurate, but  is noticeably 
slower, has lower privacy guaranties, and must deliver to quarantine 
(cannot reject, must not NDN).
So: the customer decides that for those users that require strict 
privacy or that are stupid enough to hurt themselves by delivering a 
live virus from quarantine, get the real-time filter. The more 
sophisticated users get the better filter, particularly if they've been 
incentivized to use it because it generates signatures that can improve 
the accuracy of the real-time filter.
If I could have coded the above, I would have. But I couldn't figure out 
a way to make it work. Compromise: put everything in quarantine, but 
only allow users with administrative privileges the ability to deliver 
from quarantine.
Actually, cloud computing is going to be weighing more and more on these 
issues.
IMHO, users stupid enough to download and run a self-extracting zip that 
was flagged in Large, Unfriendly Letters as malware deserve what they 
get. But I get paid to not think that way. ;-)
<csg>