Man and machine (was Re: Is virus scanning interception?)

Thu, 25 Jul 2002 12:22:50 +0100

> -----Original Message-----
> From: Peter Fairbrother [mailto:zenadsl6186@zen.co.uk]
> Sent: 24 July 2002 23:45
> To: ukcrypto@chiark.greenend.org.uk
> Subject: Re: Man and machine (was Re: Is virus scanning=20
> interception?)=20
>=20
>=20
> > Quentin Campbell wrote:
>=20
> >> -----Original Message-----
> >> From: Peter Fairbrother [mailto:zenadsl6186@zen.co.uk]
> >> Sent: 23 July 2002 19:56
> >> To: ukcrypto@chiark.greenend.org.uk
> >> Subject: Re: Man and machine (was Re: Is virus scanning
> >> interception?)
> >>=20
> >>=20
> >> Peter Fairbrother wrote:
> >>=20
> >>> Quentin Campbell wrote:
> >>=20
> >>=20
> >>>> [1] It may surprise some people that an MTA needs to scan and
> >>>> possibly change the content of a message. In the Unix=20
> world it is
> >>>> normally necessary to escape the string "From " if it appears at
> >>>> the start of a line in the body
> >>>> of the message.
> >>=20
> >> Having studied the Act further, that behaviour is not
> interception.
> >> s2(5)(b) excludes from the definition of interception:
> >>=20
> >> "(b) any such conduct, in connection with conduct falling within
> >> paragraph (a), as gives a person who is neither the sender nor the=20
> >> intended recipient only so much access to a communication as is=20
> >> necessary for the purpose of identifying traffic data so=20
> comprised or
> >> attached."
> >=20
> > That is irrelevant. My comment about the actions of MTAs
> has nothing
> > to do with headers or traffic data in a message. Read it
> again please!
>=20
> I assumed the escape was necessary to avoid the string being
> mistaken for a header. I may well have been wrong, if so=20
> could you please explain why it is necessary? What the=20
> purpose of the escape is?

It has nothing to do with an MTA processing message headers.

Most Unix mail reading programs, including ELM, Pine /usr/ucb/Mail, etc,
require that each mail message in a file of many messages be delimited
from the others by a blank line followed by a line that begins with the
five characters "From ".

This means that any given mail message may have only one line in it that
begins with the five characters "From ". To prevent such lines being
improperly fed to a mail delivery agent, the MTA usually offers a
configuration option that, if set, tells the MTA to prefix with a ">"
character all but the first such line found in a message it is passing
to a delivery agent doing final local delivery.

>=20
> >=20
> > It is about an MTA scanning message content and changing
> that content
> > if some criteria is met. Just like anti-spam and anti-virus
> scanning
> > of a message.
>=20
> Could you give some examples? I'm unfamiliar with the bowels
> of modern MTA code. Why would the MTA need to examine the=20
> body of a message?

Because content scanning capability is now a standard part of many MTAs,
including  Sendmail. In the past I have used the "milter" (Mail Filter)
facility of Sendmail to do content scanning of messages to block e-mail
viruses and spam.=20
=20
Another example is the Subject line of a message which RIPA appears to
define as content. Sendmail offers an option for blocking mail based on
substrings occuring in the Subject line.

In the case of MIME-conformant messages, the MTA may for example have to
translate content that is 8-bit encoded into a 7-bit encoding and
add/change MIME headers to reflect this change.

On final delivery, the delivery agent operating with the MTA may count
characters in the message and refuse to accept it if the message size
exceeds a configured limit.

>=20
>=20
> You could categorise your examples as to whether they are
> needed for message passing to operate. If so they're lawful=20
> under s3(3), if not they aren't. That's not 100% accurate,=20
> but it's close enough.

The Mail Relay systems on which our MTA and supporting anti-virus and
anti-spam software runs have not been modified to make message content
available to any third party so the processing the Hubs carry out is not
"interception" as defined by S2 of RIPA. Your citing of S3 (in our
site's case at least) is thus irrelevant.

Quentin
---
PHONE: +44 191 222 8209    Computing Service, University of Newcastle
FAX:   +44 191 222 8765    Newcastle upon Tyne, United Kingdom, NE1 7RU.
------------------------------------------------------------------------
"Any opinion expressed above is mine. The University can get its own."=20