I feel you've made some very valid points, Especially option #1, that I feel is the root cause of the problem. I can see no valid reason why a Mail program needs to automatically excecute anything.

However, option #2 is not as simple as it sounds. It sounds like a good idea, but in practice it can cause more headaches than it's worth especially the legal issues it raises. Most enterpise situations can mitigate these issues by the virtue that they own the Servers, Workstations, and pay for the time of the users (Employees), but those virtues just make the lines more grey, they may not save the company... Also a big chunk of the spread has been home users, dialed up directly to thier ISP. The ISP has a much harder time securing thier mail servers.

If someone modifies an E-Mail in transit, ie virus clean, or even adding those oh too familiar legal disclaimers, actually makes the company liable for the content. The company was the last to add to the message, so they become the final author. I personally love the Irony of this, adding a disclaimer stating that the company is not libale for the content, makes them liable for the content. Not only that, it is illegal in some contries (Gremany I believe is one) to modify an E-Mail, in transit, in any way.

It also makes the company or the ISP a Censor, they are deciding what other people do and do not see. That is not thier job, the ISP or IT department is rarely trained to be a censor, and most Western counties belive that their citizens have the right to free speech. (Even though not all of said contries actually have that right.) I know very few people that like the idea of their ISP checking their E-Mail content, even if it's only to see if it's safe...

Ans lastly, if the company does scan E-Mails, and does stop viruses, and one happens to get through. (A new unknown virus, the scanner breaks, it comes though some other means.) Then the company/ISP may be liable for the damage the virus caused. After all, the user could now reasonably expect ALL Viruses to be stopped.


Yes something needs to be done, but installing virus scanners on all E-Mail servers is not the answer. Better E-Mail clients is a damn good start. Perhaps a better standard of messaging is needed, one that is designed from the ground up to provide better multimedia solutions, larger, more effecient file transfers, running of attachments in a sandbox arrangement and more accountability/traceability. I think we just may be starting to outgrow SMTP....

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/87/13039#13039