On September 27, 2002 at 13:01, Jose Marcio Martins da Cruz wrote: > What's interesting is that in this case the message and the malicious > code passes through two different network paths : messages is sent by > mail and the malicious code will be get by receiver by anonymous ftp. > > In the case of previous vulnerability (fragmented message), message and > malicious code uses the same network path. > > Classical mail server virus scanners will never see the malicious code > pass through it, as they will never have available entire malicious > code. Since the external-body type uses other standard network protocols, then the security policies of a company for other protocols (like ftp) would take effect. It is no different than if someone sends a message to someone saying "go download ftp://....";. > I can't say anything about others mail clients, as I'm sick at home and > I have no access to other MUAs. The venerable MH, and its successor nmh, support the message/external-body type. The only real security risk is if a badly designed MUA automatically retrieves the data specified in a message/external-body (and RFC 2046 gives a warning about this). Otherwise, it poses the same security problems as someone including a URL in a regular mail message (which many MUAs automatically convert into a hyperlink). --ewh P.S. You may be interested in RFC 2017 that defines the URL access type for message/external-body.
