Man and machine (was Re: Is virus scanning interception?)

Quentin Campbell Q.G.Campbell at newcastle.ac.uk
Mon, 22 Jul 2002 16:46:41 +0100 

> -----Original Message-----
> From: James Hammerton [mailto:james@tardis.ed.ac.uk]=20
> Sent: 22 July 2002 15:54
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Man and machine (was Re: Is virus scanning=20
> interception?)=20
>=20
>=20
> > > Charles Lindsey wrote:
> >=20
> > > On Thu, 18 Jul 2002 20:32:46 +0100
> > > Peter Fairbrother <zenadsl6186@zen.co.uk> said...
> > >=20
> > >> If you have run software that deletes mail with viruses=20
> in it, you=20
> > >> have deleted the mail. The machine has deleted the mail, the=20
> > >> software has deleted the mail, but you too have deleted the mail.
> > >>=20
> > >> If the software has access to the content, and bases the=20
> decision=20
> > >> to delete the mail on that content, you have deleted the=20
> mail based=20
> > >> on access to the content.
> > >=20
> > > Yes, you have indeed done all of those things. But, at the end of=20
> > > the day, you mever had an opportunity to read the content, and=20
> > > therefore it was never available to you (because, in the=20
> absence of=20
> > > more specific definitions, "common sense" applies).
> >=20
> > Content has been made available for your use.
>=20
> What opportunity for accessing the content does the person=20
> who runs the virus scanner have here? I'd argue there is no=20
> such opportunity to access the content by the person running=20
> the scanner and therefore it has not been made available to=20
> that person therefore under RIPA it is not interception.
>=20
> James

For the purposes of this thread what sensible distinction is there to be
made between the processing performed by a Mail Transport Agent such as
Sendmail and the processing performed by a separate content scanner
which processes the same data?=20

In considering this question one should be mindful that an MTA normally
scans and transforms messages, both headers and body [1], and can be
configured to reject mail based on what is found.  =20
 =20
We do automated content scanning of _all_ incoming e-mail at this site
for the purposes of anti-virus protection and the recognition and
tagging of probable spam.

This activity does not add in any way to my ability to look at content.
I continue to have access (should I be minded to exercise that ability)
to the same Sendmail 'qf' and 'df' files that the content scanners
process. The content scanners make _no_ permanent new copies of these
files, in particular of the 'df' file which contains the message body.

Looked at in this way, a "common sense" view of our automated content
scanning is no different to the processing (ie. content scanning) that
Sendmail itself does of the incoming SMTP stream then later when it
attempts to deliver any queued messages (in the form of 'qf' & 'df'
files).

[1] It may surprise some people that an MTA needs to scan and possibly
change
    the content of a message. In the Unix world it is normally necessary
to
    escape the string "From " if it appears at the start of a line in
the body=20
    of the message.  =20

Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."=20