[Mimedefang] Re: calling action_bounce() for viruses

[James Ralston]

On 2003-09-25 at 22:19:20-0700 Jeremy Mates <jmates at sial.org> wrote:

> * James Ralston <qralston+ml.mimedefang at andrew.cmu.edu>
> > If viral content is detected in a message from an external sender,
> > bouncing (via a SMTP 5xx code) the message is the correct thing to
> > do.
> 
> So the system being bounced to has to bear the costs of accepting,
> scanning, tagging, and discarding the message anyways?

Yes.

But I think you missed my point: if the ISP of the forged envelope
sender isn't *already* scanning its incoming mail for viruses, then
they're screwed anyway.  It doesn't matter if the ISP receives a virus
because one of their customers was targeted as the recipient, or
because one of their customers was targeted to be the forged envelope
sender; the ISP needs to be scanning incoming email anyway.

> And suppose one of my users fires off a legitimate e-mail (with
> malware, complements of, say, Microsoft OLE) to your server via
> their malware scanning free ISP server (many of these).  Your system
> then bounces the message back to my server which then bounces the
> message into the bitbucket due to malware content.  Where is the
> user notified that their legitimate message got discarded in this
> case?

The user isn't notified, of course, but what's your point?

If you refuse to accept incoming mail which contains viruses, a
legitimate sender has at least a chance of figuring out that his
message was refused.  The notification may not make it back to the
sender.

But if you silently discard incoming mail which contains viruses, you
are guaranteeing that a legitimate sender will never *realize* that
his message was dropped.

In addition, by silently dropping the incoming mail, you are violating
RFC2821 (section 4.2.5), because you returned SMTP code 250 when you
do *not* intend to deliver the message.

I am aware that David posted (in another thread) that he now believes
that silently dropping incoming mail messages which contain viruses is
the best thing to do.  I still disagree.  No matter how smart or
experienced we think we are, we don't even scratch the surface of the
depth of the experience and intelligence that went into the
construction of the mail-related RFCs.  And the RFCs don't permit you
to return 250 and then dump the message in the trash.

If you want email to remain a useful tool for communication, then
follow the damn standards, and refuse to accept messages with viral
content instead of silently dropping them.

If you want to join the long list of fools who thought that *they*
knew better than what the Internet standards said, and ultimately
created problems that they couldn't foresee, then feel free to
silently drop incoming mail messages which contain viruses.

-- 
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA