Re: [Exim] Attachments and bounce messages

On Fri, 5 Sep 2003, Philip Hazel wrote:

> The latest spate of viruses has caused someone to ask me if attachements
> should be removed from messages that are returned with bounces.

Speaking as one of the disgruntled recipients of numerous bogus virus
alerts, in all kinds of different shapes and sizes, my immediate
reaction is that it's much easier to reject bogus virus alerts if they
come complete with the offending attachment - but much better would be
if they didn't come at all!!

> Views?

Refuse "active" attachments[*] at SMTP time, as a matter of policy:
don't compose bounces after the event; use a virus scanner too, if you
want, but don't rely on it as your only defence - that will guarantee
failure in the window between the virus arriving and the vendor's
anti-virus template coming out.

Once the offending item has been accepted, it's too late to do a
proper job of reporting it, in my submission. At best you could
report it to the registered abuse address for the IP that offered it
to you.

all the best

[*]Quite what qualify as "active" attachments is not determined by the
RFCs, but by what the Great Vendor insists on doing in its headstrong
way. So a MIME type of text/plain is even more dangerous than
application/sh in this topsy-turvey universe, since the Great Vendor
will take text/plain as an excuse to look inside the content and guess
what it might be - and then act on that guess, even if harmful.
There have been too many precedents.