On 08/30/05 at 14:47, 'twas brillig and Jim McCullars scrobe:
[...]
> > 2) Does mimedefang have a way to detect and deny encrypted archives
> > (like encrypted zip files), while still allowing through unencrypted
> > archives. (it's ok if zip files are the only such archive)
>
> You could do something like this (untested!) in sub filter():
[...]
Here's our version. It's been in production for well over a year, so I
guess it qualifies as "somewhat-tested"...
----
# within filter_initialize ()
use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
# [...]
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary effort
# check for banned files in ZIP archives. Requires
# Archive::Zip. Adapted from/inspired by code from Michal Jankowski
# and Paul Murphy on MIMEDefang-users list.
if (lc($ext) =~ /\.zip$/) {
my $path = $entity->bodyhandle->path;
my $zipfile = Archive::Zip->new();
if ($zipfile->read($path) == AZ_OK) {
md_syslog('debug', "Unpacking/checking ZIP archive in
$path");
if (defined(&Archive::Zip::tempFileName)) {
my $tmpfn = Archive::Zip::tempFileName('.');
} else {
my $tmpfn = Archive::Zip::tempFile('.');
}
my @contents = $zipfile->members();
foreach my $content (@contents) {
my $fn = $content->fileName();
my $fsize = $content->uncompressedSize();
md_syslog('debug', "Checking zipfile contents $fn,
size=$fsize");
# unpacked size limit
if ($fsize > 50e6) {
md_graphdefang_log('Zip archive contents too big
', $fn, $RelayAddr);
return action_bounce("rejection: possible DOS
attack: overlarge archive content, file $fn, size=$fsize");
}
# quarantine encrypted files (Bagle-H and similar)
if ($content->isEncrypted()) {
md_syslog('debug', "Checking encrypted ZIP content
$fn");
my $badex =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|zip|\{[^\}]+\})';
my $regx = '\.' . $badex .
'\.*([^-A-Za-z0-9_.,]|$)';
if (lc($fn) =~ $regx) {
md_graphdefang_log('crypt_bad_ext', $fn,
$RelayAddr);
action_quarantine_entire_message("encrypted
ZIP file with executable content");
return action_replace_with_warning("An
encrypted ZIP archive containing \"$fn\" was removed \nfrom this
document as it constituted a likely security hazard \n(cf. Bagel worm
or similar). If you require this document, \nplease contact your
friendly neighborhood mail admin. \n\n Otherwise, the
quarantined content will be deleted in two weeks.\n");
}
# no exe content, just log it
md_syslog('warning', "Encrypted file $fn in zip
archive");
}
# could put extra virus checking here but clamav
should already
be checking unencrypted zips
}
} else {
md_syslog('warning', "Zipfile read returned error");
}
}
# [...]
Ole
--
Ole Craig * UNIX, linux, SMTP-fu; news, web; SGI martyr * admin-at-large
Need a seasoned *NIX admin in the Denver/Boulder area? Hire me!
http://www.cs.umass.edu/~olc/pub/olc-resume.txt
_______________________________________________
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
