Re: per user post-data rejects, Processing after the end of DATA

Ray Bellis wrote:
> > An AV that's configured with different rules for different recipients.
> >     
> Or one that's only configured for the customers that are paying for it.
That's certainly true, although uncommon in my own experience because 
providers make operational choices  to avoid it. As much as possible, 
the ability to enable or disable a service is kept at the same (or 
higher) granularity than the MX names. For example, all Google Apps 
domains refer to a common set of MX names, but Gmail also enforces a 
uniform anti-virus policy across the service. Highly configurable 
services like Postini and Message Labs use different MX names for each 
administrative domain, ensuring sending MTAs send a separate copy to each.
Where I ran into problems (a "disposition conflict") was when different 
recipients in the same administrative domain (with the same MX name) 
were able to set different policies. That might be because of 
administrative delegations within a single customer, or because we gave 
individual users some knobs they could tweak. Many folk's intuition 
would be that anti-virus would not be a tweakable service; but you would 
be wrong. Today's enterprise class anti-malware filters are almost as 
hairy and indeterminate as spam filters, and that's because malware 
writers have gotten so darn clever.
<csg>