[ On Tuesday, February 18, 2003 at 11:45:40 (+0000), Alan J. Flavell wrote: ]
> Subject: Re: [Exim] bouncing viruses
>
> On Tue, 18 Feb 2003, Greg A. Woods wrote:
>
> > > > If you've acceptd a message containing a virus or worm then the best
> > > > possible thing you can do is disable it
> > >
> > > Well, the _best_ thing to do is not to accept it in the first place.
> >
> > You didn't read what I said.
>
> With respect: I did.
>
> > I said "_IF_ YOU HAVE ACCEPTED...."
>
> If the virus checks are made before acceptance, then by definition you
> won't know that what you inadvertently accepted was, in fact, an
> unrecognised virus.
Sorry, but you're still missing my point, perhaps because you don't
understand the SMTP protocol properly. You cannot truly do virus checks
on the body of a message before you've fully accepted the message. If
you think you're doing that then strictly speaking you're violating the
SMTP protocol.
Yes, you can scan the incoming data as you save it to disk and if you
see anything along the way that you don't like then you can try to send
a 5xx reject response to the end-of-DATA command ("."), but: (a) this
only works properly about half the time (because huge numbers of other
SMTP clients botch this part of the protocol, and the issues with this
are far deeper and wider than have been alluded to by others); and (b)
you've just wasted all the bandwidth and resources for the message
anyway.
> So you deliver it anyway.
Exactly. (Or drop it in the bit bucket... :-)
I.e. why bother running any kind of scanner across the body of the
message at SMTP time? It gains you nothing and costs in all kinds of
obvious and not so obvious ways.
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@???>; <woods@???>
Planix, Inc. <woods@???>; VE3TCP; Secrets of the Weird <woods@???>