You're right in that there are several cases, but I still disagree with allowing the sender to decide whether or not the recipient... I think the recipient should be the one to decide if they want the email. The sender should _not_ be able to force potentially harmful email through.
Look at it yet another way. The sender sent the email, so obviously they want it to go through (ignoring all of the obvious spam and forging virus cases that are already handled through other means). By notifying the recipient instead of the sender, the recipient has to agree to receive it. So, we establish a trust relationship of sorts. Without sending the notification to the recipient, no trust is established and the recipient can receive emails that they do not want. As to the problem of determining the legitimacy of email, you're correct in that it is difficult to do programmatically, but in most cases a simple human inspection of the subject and sender is enough to decide if the content is legit, which the recipient can do easily. Darin. ----- Original Message ----- From: "Hermann Strassner" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, June 02, 2004 10:39 AM Subject: RE: [Declude.Virus] Notification for forwarded messages >----------- Look at it from the perspective of one of your business email customers. Say your customer is Mom's Sauce Co. Mom's Sauce Co. has a customer, Joe's Pizza, who is trying to send them an important document that just happens to be an encrypted zip. Under your scenario, Joe's Pizza receives a bounce message and has to click a link or type something in to get the email delivered to Mom's Sauce. Now Mom's Sauce Co. really wants to sell her sauce, and wants to make it as easy as possible for Joe's Pizza to do business with them. Wouldn't Mom's Sauce Co want to handle the verification and not make Joe's Pizza have to deal with it? >------------ And then think of Joe`s Pizza send an email with zip to Mom`s sauce co. Who should handle the verification then? The other one. In your thinking (and it is right to a certain degree) always the one who sells something should handle the verification, whether it is the sender or the recipient. But it is not possible to build this in software. We have a corporate environment, and we sell things. So we have customers and suppliers. We SHOULD do everything for our customers (if they send mail, we should do the verification, if we send mail also we should do the verification. One time the sender, one time the recipient), and we want our suppliers to do everything for us. So this is not possible to build in software. In the past some viruses slipped through the virusscanner before the signatures are updated from the companies, not only password protected zips, but as well normal zips. This forces a lot of work and money to clean the systems in house. To prevent this in future we block every archive as well as every executable extension as potentially dangerous, and we had success with this behaviour a few times. Again, the recipient can`t know if the mail is sent intentionally or if it contains a virus or otherwise dangerous code. This can only be done by the sender. If the sender gets notification, but has not sent any mail, he just deletes the notification. If he want to get his mail delivered, he verifies it. After that it is up to the recipient to open an attachement in an email, just as it is now. Hermann --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com. --- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)] --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
