martijn.list wrote on 11/ 3/10 01:25 PM:
>> But when I activate the "2010 Norton Internet Security" the behaviour
>> changes, where with the same lengthen or small emails, the
>> t.sendMessage() is no more synchronous and it returns in a fast way. My
>> test flow of about 30 messages is very fast executed. During this loop,
>> the Wireshark spy show that only the email headers for 30 emails are
>> sent to the smtp server. It is only when I "close" the transport
>> connection that all the "30 body email contents" are flushed from the XP
>> to the smtp server. I could check later in my receiver thunderbird that
>> I could found all emails.
>
> My experience in the past (a couple of years ago) is that virus scanners
> act as a SMTP 'man in the middle'. The email sent from an email client
> is not directly sent to the external SMTP server. The message is
> intercepted first then scanned and then forwarded to the real SMTP
> server. What could happen in your case is that the email is received
> locally by Norton. Because this happens locally, it's much faster than
> sending it to the remote SMTP. Norton then scans the message and sends
> the message to the remote SMTP. This will take some time, roughly the
> same time it takes to send an email when Norton is disabled. I'm not
> sure whether this is what happens in your case but most virus scanner
> work this way.
>
> Kind regards,
>
> Martijn Brinkers
What I expected is that the virus scanner would scan the message
as it passed through, preserving the original conversation with the
mail server, but just slowing it down while it performed the scan.
If instead it's acting as a mail server itself, queuing all the messages
until they're scanned, and then sending them on, you lose the ability to
get synchronous errors from the real mail server. That seems like a serious
design error in these products.