[Mimedefang] mail/p5-MIME-tools: v 5.502 addresses important parsing bug
> FYI, I have released MIME::tools 5.502 to CPAN today. It is at > http://search.cpan.org/~dskoll/MIME-tools-5.502/ (though the CPAN mirrors > are still synchronizing, so give it some time if you get a 404 error...) > > This release fixes the following bugs: > > * Fix parsing bug: https://rt.cpan.org/Ticket/Display.html?id=66025 > > * Fix typo: https://rt.cpan.org/Ticket/Display.html?id=65387 > > * Fix unit tests on Perl 5.8.x: > https://rt.cpan.org/Ticket/Display.html?id=66188 > > * Fix unit test failure on Win32: > (https://rt.cpan.org/Ticket/Display.html?id=66286) > > In particular, the parsing bug is nasty. Anyone running MIME::tools 5.500 > or 5.501 should upgrade to 5.502 as soon as possible. Given the as-soon-as-possible, here are the FreeBSD port bits necessary to manually bump your local p5-MIME-tools to 5.502 (/usr/ports/mail/p5-MIME-Tools). I am sending to the MIMEDefang list so that people can do it manually if necessary, and cc:ing the FreeBSD port maintainer (p...@freebsd.org). --- Makefile.orig 2011-02-17 16:27:29.0 -0900 +++ Makefile2011-03-09 08:24:24.0 -0900 @@ -6,7 +6,7 @@ # PORTNAME= MIME-Tools -PORTVERSION= 5.501 +PORTVERSION= 5.502 PORTEPOCH= 2 CATEGORIES=mail perl5 MASTER_SITES= CPAN --- distinfo.orig 2011-02-17 16:27:29.0 -0900 +++ distinfo2011-03-09 08:26:45.0 -0900 @@ -1,2 +1,2 @@ -SHA256 (MIME-tools-5.501.tar.gz) = d375bd93d5ab76956f323daaa11583cf242d8d57e682216ee5ff2a6bfc1ac4ac -SIZE (MIME-tools-5.501.tar.gz) = 394197 +SHA256 (MIME-tools-5.502.tar.gz) = c2fd87fd6939a58afec896047c2d2328db309fac513b10d4d23c26046b60304d +SIZE (MIME-tools-5.502.tar.gz) = 394613 Changelog: http://cpansearch.perl.org/src/DSKOLL/MIME-tools-5.502/ChangeLog Parsing-bug report: https://rt.cpan.org/Ticket/Display.html?id=66025 Royce ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Kochi - filtering outbound phishing responses
Has anybody tried integrating something like Kochi into their filter? http://oss.lboro.ac.uk/kochi3.html It's a Perl module for outbound messages that searches for emails containing a username and password - in other words, a response to a phish) and checks to see if the credentials match via PAM. If the email contains a valid login, you can branch and take whatever administrative action you'd like. I haven't tried it yet, but it sounds interesting. Royce ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: tripping up in percent_decode ()
On 6/15/2005 2:03 PM, Royce Williams wrote:
mimedefang-multiplexor[1129]: Slave 0 stderr:
Use of uninitialized value in substitution (s///) at
/usr/local/bin/mimedefang.pl line 349.
Use of uninitialized value in concatenation (.) or string at
/usr/local/bin/mimedefang.pl line 487
Issue on my side, though I'm not sure why it failed in this way.
Turns out that a variable I was using to construct a custom header
was outside any functions in my filter, so it wasn't showing up
when I switched to embedded Perl on this system.
It is odd, though, that my call to action_change header had a second
variable that was declared with 'use vars' but hadn't been set to
anything yet. action_change_header happily accepts this and tries
to use it (resulting in the error), even though action_change_header
appears to want to require two arguments:
$ egrep '^sub action_change_header' /usr/local/bin/mimedefang.pl
sub action_change_header ($$;$) {
David, shouldn't mimedefang.pl have thrown a "not enough arguments"
error if the second argument was only "use vars"'d? Or am I showing
my Perl lack-of-clue?
-royce
--
Royce D. Williams - IP Engineering, ACS
work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] tripping up in percent_decode ()
Getting some stderr output after a new install:
mimedefang-multiplexor[1129]: Slave 0 stderr:
Use of uninitialized value in substitution (s///) at
/usr/local/bin/mimedefang.pl line 349.
Use of uninitialized value in concatenation (.) or string at
/usr/local/bin/mimedefang.pl line 487
Line 349 is the line beginning with $str below:
sub percent_encode ($) {
my($str) = @_;
$str =~ s/([^\x21-\x7e]|[%\\'"])/sprintf("%%%02X", unpack("C", $1))/ge;
#" Fix emacs highlighting...
return $str;
}
Line 487 is the print statement below:
sub write_result_line3 () {
my($cmd, $arg1, $arg2, $arg3) = @_;
$arg1 = percent_encode($arg1);
$arg2 = percent_encode($arg2);
$arg3 = percent_encode($arg3);
print RESULTS "$cmd$arg1 $arg2 $arg3\n" or die("Could not write RESULTS line:
$!");
}
It looks as though the substitution in percent_encode is failing, and
the /e syntax may not be happy about that? I'm not enough of a Perl
person to be able to tell, and I haven't been able to track down to
anything borked on my side yet.
I'm running FreeBSD 5.3 and the following from the ports tree:
clamav-0.85.1
mimedefang-2.52
p5-File-Scan-1.43
p5-MIME-Base64-3.05
p5-MIME-Tools-5.417,2
p5-Mail-SpamAssassin-3.0.4
p5-Net-DNS-0.51
sendmail+tls+sasl2+ldap-8.13.4
-royce
--
Royce D. WilliamsIP Engineering, ACS
work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] non-gzipped MIMEDefang file archive?
Is there somewhere on the MIMEDefang site that I can grab the changelog (and/or other files) without having to download the entire distribution and unpack it? If not, would it be hard to make a non-compressed archive of older distributions somewhere, as a number of other OSS projects do? -royce -- Royce D. Williams - IP Engineering, ACS work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Anyone using File::Scan?
On 2/15/2005 8:46 PM, David F. Skoll wrote:
Does anyone use File::Scan with MIMEDefang? It seems to cause a lot
of problems with false positives.
I've never noticed or heard of any false positives until now. I've
never had to ask the maintainer for anything, either, so I can't speak
to his/her responsiveness. We've been happily using it for a couple
of years without incident.
Is there any pattern to the false positives has File::Scan been
generating? Is it related just to the "suspicious file" detection,
or to actual signature data?
For the next release, I'm considering removing the auto-detection
of File::Scan. In other words, if you want File::Scan, you'll have to
specifically ask for it in your filter.
Not knowing any better, it seems to me that most folks would have
File::Scan installed entirely and only for use with MIMEDefang, but
I could be mistaken. Since its value seems to come mostly from its
"quick first pass" quality, I would think that it wouldn't be as useful
as Clam AV or some other free package for other uses.
In other words, I'm arguing that if someone has File::Scan installed,
perhapsy they almost always intend to use it with MIMEDefang, so the
extra step of having to enable it might be superfluous.
Any objections to this change?
It's pretty simple to use $Features{"File::Scan"} as you suggest later
in the thread, so I won't lose any sleep over it.
If I had my druthers, though, one or more of us could try to talk to
the maintainer (Henrique Dias, [EMAIL PROTECTED]) to get at the root cause.
I'll drop him a friendly note that directs him to this thread. If I
were him, I'd certainly want to know. :)
-royce
--
Royce D. Williams - IP Engineering, ACS
work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SIG11's with Mimedefang 2.48
On 11/2/2004 8:23 AM, David F. Skoll wrote: On Tue, 2 Nov 2004, Martin Blapp wrote: And of course, Mimedefang on FreeBSD is only half usable because some mails can't be proceeded at all (if long headers are added for example). I wasn't aware of this issue -- perhaps I haven't encountered it because I've got MAX_HEADERS_LENGTH configured in my .mc file? Or are we talking about the same thing? I'd be curious to hear what other issues you've encountered on FreeBSD. We've been ticking along here just fine literally for years, happily processing more than a million messages a day. Other than occasional delays in getting this or that patch added to a required port, we've been pretty happy. Either there are problems occurring that are slipping below my radar that will be revealed, or else I and others can help you with some of your outstanding FreeBSD issues. Either way, the community benefits. Well, time to switch to Linux, I guess. (Takes cover...) :-) (Pelts with cafeteria food) ;) -royce -- Royce D. Williams - IP Engineering, ACS work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] OT: Perl Resource
Jeff Grossman wrote, On 10/9/2004 6:24 AM: What is a good book on Perl programming? I would like something that will help me with the mimedefang-filter file. Programming Perl and The Perl Cookbook are the way to go for starters. I've also found this Perl-book review page to be helpful for people asking this question. It's a little outdated, but definitely gives you a good survey of the main choices. http://www.northbound-train.com/perlbooks.html Once you work with Perl for a while, I also recommend _Effective Perl Programming_ by Joseph N. Hall and Randall L. Schwartz. Short, clearly written, and effective. -royce -- Royce D. Williams - IP Engineering, ACS work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] RE: Error
On 9/9/2004 3:48 AM, Mike Carlson wrote: Any ideas on this error? I am going to assume that my portupgrade > of the MIME:Tools broke Perl or something. I am on FreeBSD 4.8. [snip] Sep 7 17:08:54 hades mimedefang-multiplexor[141]: Slave 3 stderr: Can't locate object method "SWASHNEW" via package "utf8" (perhaps you forgot to load "utf8"?) at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser/Filer.pm line 362. Compilation failed in require at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 152. BEGIN failed--compilation aborted at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 152. Compilation failed in require at /usr/local/bin/mimedefang.pl line 154. BEGIN failed--compilation aborted at /usr/local/bin/mimedefang.pl line 154. I ran into this last week as well. It appears that something changed between versions to cause this problem. I could reproduce the error and could make it go away by downgrading using the portdowngrade port. Note that I had to downgrade to the 03/18 5.411a_3 version that came before the flurry of changes on 09/02 to get things to work again. This was my first guess because the date range made this version look stable; I didn't try any of the more recent versions. Here's a transcript of how I did it. # [EMAIL PROTECTED]:/home/ncvs # export CVSROOT # portdowngrade p5-MIME-Tools portdowngrade 0.5 by Heiner Eichmann Please note, that nothing is changed in the ports tree unless it is explicitly permitted in step 6! Seeking port p5-MIME-Tools ... found: mail/p5-MIME-Tools Step 1: Checking out port from CVS repository CVS root directory (from CVSROOT environment variable): [EMAIL PROTECTED]:/home/ncvs The authenticity of host 'anoncvs.freebsd.org (128.46.156.46)' can't be established. DSA key fingerprint is 52:02:38:1a:2f:a8:71:d3:f5:83:93:8d:aa:00:6f:65. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'anoncvs.freebsd.org' (DSA) to the list of known hosts. Step 2: Reading the port history from the CVS repository Step 3: Analyzing the port history from the CVS repository Step 4: Load port version numbers and present results Keys: : next page d : details p : previous page : leave presentation and downdgrade if wanted === number date portversion comment 1 2004/09/07 09:51:01 5.411a_5 Fix the workaround for corrupted PDF fi 2 2004/09/03 22:41:23 5.411a_4 Add fix/workaround for corrupted PDF fi 3 2004/09/02 22:33:01 5.411a_4 Bump port revision and port epoch since 4 2004/09/02 22:29:13 5.411a_3 Add BinHex support. 5 2004/09/02 22:28:46 5.411a_3 Return undef or the parsed MIME::Entity 6 2004/09/02 22:28:22 5.411a_3 Limits the number of MIME parts we will 7 2004/09/02 22:27:53 5.411a_3 Remove whitspaces from exorcise_filenam 8 2004/09/02 22:27:14 5.411a_3 Fix encoding corruption. rt.cpan.org: B 9 2004/09/02 22:26:34 5.411a_3 Parser memory leak fixed. The closure-b 10 2004/09/02 22:26:06 5.411a_3 Correct "7_bit", "7-bit", and "7 bit" t 11 2004/03/18 00:48:50 5.411a_3 SIZEify. 12 2003/11/19 10:00:45 5.411a_3 Apply security related patches. 13 2003/10/28 00:55:24 5.411a_2 Back out previous upgrade because of in 14 2003/10/27 11:10:57 6.200.02 Mark $IGNORE if PERL_LEVEL < 500600. 15 2003/10/26 09:21:50 6.200.02 Upgrade to 6.200_02. 16 2003/10/24 12:02:40 5.411a_2 utilize SITE_PERL 17 2003/02/22 07:48:47 5.411a_2 de-pkg-comment. 18 2003/02/20 16:33:25 5.411a_2 Conditionalise several dependencies on Total lines: 45. Command: Enter version number to change port to (0: exit): 11 Step 5: Checking out choosen date of the port from the CVS repository Step 6: Modifying the port Port: mail/p5-MIME-Tools at : 2004/03/18 00:48:50 Type 'yes' to bring the port to the state of the date above or 'no' to exit without changing anything. Note, that this only changes the port, not the installed software! yes or no:yes The port has been set to the selected version. Install it if you wish. If you have portupgrade installed, you should run portsdb -Uu now, to see the changes in the ports database. In any case portupgrade -f p5-MIME-Tools will install the changed port. Note: if you run cvsup, the port is changed back to the choosen label! # portupgrade -f p5-MIME-Tools [Updating the pkgdb in /var/db/pkg ... - 86 packages found (-0 +1) . done] ---> Downgrading 'p5-MIME-Tools-5.411a_5,2' to 'p5-MIME-Tools-5.411a_3,1' (mail/p5-MIME-Tools) ---> Building '/usr/ports/mail/p5-MIME-Tools' ===> Cleaning for p5-MIME-Base64-3.03 [snip] A general tip: I'd never had to use portdowngrade before, and I had trouble figuring out the right CVSROOT to use. I vigorously suggest getting comfortable with it *before* you need it. -royce -- -
[Mimedefang] staying synced with example filter (was: Re: TestVirus.org)
On 7/30/2004 8:22 AM, Kelson Vibber wrote: On Friday 30 July 2004 03:03 am, Martin Blapp wrote: There's timing... I was just looking at this stuff yesterday. I got the same results initially (except for #25, which had been defanged), but after investigation was able to easily block the rest by copying a few bits over from the current example filter. From what I can tell, it looks like these We used the mimedefang-filter.example as the base for our initial filter. We made sure to keep the changes/adds simple and easy to spot -- clear comments with our company name in them, only commenting out items rather than removing them, etc. This makes it very easy to spot differences between our filter and any updated version of mimedefang-filter.example. Using sdiff -o, we can easily merge the new filter with ours, staying current with all of the tweaks that David and contributors make. What's everyone else doing with reference to the example filter? -royce -- Royce D. Williams - IP Engineering, ACS work: [EMAIL PROTECTED]- PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] - http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: large mimedefang setup
Rob wrote, On 7/17/2004 12:07 AM: Assuming you've got a reasonable amount of memory for use as a file system cache then under 5.x with SoftUpdates any file that lives for less than 10 seconds won't be written to the disk (so I'm told). Given how rare it is even with multiple RBL and RAZOR lookups for a scan to last beyond 10 seconds that makes the use of a memory based filesystem largely pointless under 5.x. Definitely agreed -- no special setup on our end other than soft updates, and the disk access is actually pretty infrequent. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] grammar nit
On 6/22/2004 3:22 AM, David F. Skoll wrote: So when I'm programming and I have to choose between English grammar and Bourne shell grammar, English grammar loses, alas. :-) But on the gripping hand, you can usually choose to serve both masters: < Enable software to build on SCO UNIX or SCO Linux, in spite of SCO's disgusting attitude > Enable software to build on SCO UNIX or SCO Linux, in spite of the disgusting attitude of SCO :) -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] multi AV scanners
On 5/11/2004 4:55 PM, Stewart James wrote: If anyone who is interesting in this can have a glance at the patch for and let me know if they see a fault I would be grateful. I would be happy to run this locally, but I would only really want to do that if it had a chance of entering MD proper at some point, so if someone from roaring penguin could let me know, then I will move forward and put it on my production boxes and alter the filters. David, I feel as though we're grasping at straws here. You probably either think that we're barking up the wrong tree, or have an opinion on how to DTRT here. :) What's the "MIMEDefang way" to do this? -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] multi AV scanners
On 5/10/2004 10:26 PM, Stewart James wrote:
Second, Looking at the log entries there is nothing that shows which
scanner detected the virus. Now, this would be quite beneficial.
Considering it would be cool to be able to do reports saying clam found
100% - trend never found them (because clam is run before trend).
Details of a mod for this are in the list archive - I know 'cos that's where
I found this myself.
I have spent a bit of time looking over the list archives and have not
found a resolution to this. If anyone can point me in the direction I
would be greatful.
I spent a good chunk of time trying to figure out what combination of
search strings would cough up the mod described above. The closest that
I got was
http://lists.roaringpenguin.com/pipermail/mimedefang/2003-August/016283.html
This may be of help to you, depending on what way you'll be turning your
logs into reports. Unfortunately, it doesn't solve my problem of wanting
to use the scanner as a variable name in mimedefang-filter (without having
to override the now perfectly usable fall-through version of
essage_contains_virus() included in mimedefang.pl.)
I'd love to be able to do this:
return action_bounce("Virus $VirusName found by $scanner - message from $RelayAddr rejected");
I'll keep looking.
-royce
--
Royce D. WilliamsIP Engineering, ACS
work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] piperd?
On 5/10/2004 4:52 AM, Kevin A. McGrail wrote: and someone might be able to give you a hint how to increase the file descriptors in FreeBSD. It might be a simple use of the limit or ulimit command but that's out of my expertise. http://www.freebsd.org/doc/en/books/handbook/configtuning-kernel-limits.html man sysctl and sysctl.conf for full details; you may end up settling on something like $ grep maxfiles /etc/sysctl.conf kern.maxfiles=65536 kern.maxfilesperproc=32768 ... or whatever fits your capacity and needs. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] filter awareness of which scanner detected a virus?
What's the recommended clean way to tell which scanner found a virus
for use in mimedefang-filter? I'm interested in being able to log it
for troubleshooting purposes.
After looking through the example filter, mimedefang.pl, I had in
mind to define my own message_contains_virus that would return it,
but I'd prefer to use the built-in routines whenever possible.
I would make a feature request for message_contains_virus() to
return the scanner as well:
--- /usr/local/bin/mimedefang.plFri Apr 16 15:02:59 2004
+++ mimedefang.pl.scanner-name Fri May 7 11:34:20 2004
@@ -6048,7 +6048,7 @@
foreach $scanner (@VirusScannerMessageRoutines) {
($scode, $scat, $sact) = &$scanner();
if ($scat eq "virus") {
- return (wantarray ? ($scode, $scat, $sact) : $scode);
+ return (wantarray ? ($scode, $scat, $sact, $scanner) : $scode);
}
if ($scat ne "ok") {
$code = $scode;
@@ -6084,7 +6084,7 @@
foreach $scanner (@VirusScannerEntityRoutines) {
($scode, $scat, $sact) = &$scanner($e);
if ($scat eq "virus") {
- return (wantarray ? ($scode, $scat, $sact) : $scode);
+ return (wantarray ? ($scode, $scat, $sact, $scanner) : $scode);
}
if ($scat ne "ok") {
$code = $scode;
... but I'm not sure that I understand all of the ramifications of
doing so. I assume that the prototyping would break some people's
filters if they're defining their own *_contains_virus() routines.
I know that I'd have to chop off "[message|entity]_contains_virus_"
from the returned value, but that's something that would belong
in the filter anyway, IMO.
-royce
--
Royce D. WilliamsIP Engineering, ACS
work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Local DNSBL lookups with rbldnsd (was: surbl)
On 4/13/2004 6:15 PM, Stephen Smoogen wrote:
> Personally I think any RBL is a DoS waiting to happen. All it takes is
> them being down/broken/etc and poof your servers are down for a bit with
> the usual management questions of why did you allow it to happen.
>
> The only way I would use an RBL in a large production enviroment is if
> they had a DB push mechanism where I could sign up for a daily DB4 and
> source file from either a central site or some osrt of P2P cloud.
>
> But I am a grumpy young sysadmin.
One of the better ones (SBL+XBL) lets you set this up for free, if
you're "big enough" (250K+ queries/day).
SBL+XBL page: http://www.spamhaus.org/xbl/index.lasso
Rsync zone access: http://www.spamhaus.org/service/
I had the same DoS worry; using a combination of sbl-xbl.spamhaus.org
with rbldnsd and rsync, we've got a copy of the zone locally on each
mail server, coexisting nicely with the caching BIND already there.
It required a little setup up front, but we've been pleased with the
results. We've also reduced DNS traffic by a substantial amount --
I refused 1.3M connections yesterday using SBL+XBL. Because it's
effectively local, it's the first DNSBL check we perform now.
The Spamhaus folks were very helpful and they had a hole poked for
our rsync within a couple of hours of my follow-up email about our
setup. They even have the rsyncs distributed across particular
parts of the hour, assigning a minute to you for the SBL and the
XBL. We're never more than an hour stale.
A potential speed bump is their requirement to use rbldnsd. They
only push the lists out in rbldnsd format, but it's worth the
learning curve to use it, for those of you not familiar with it.
It does wildcarded/templated TXT responses for DNSBLs, has a small
memory footprint, and also speaks CIDR. You can also combine
separate zone files into a single zone, accessed with one lookup.
http://www.corpit.ru/mjt/rbldnsd.html
Our empirical testing of looking up even information that was already
cached made rbldnsd *very* attractive (~5.5ms/lookup for BIND vs
~.5ms/lookup for rbldnsd). There are some large lists that we keep
in access.db files that we'll be them converting to rbldnds zones,
so that we don't have to pay the per-box cost of distributing the
access file and then generating the .db -- and because the sendmail
access file doesn't speak CIDR.
There's a FreeBSD rbldnsd port that installed quite nicely, and the
maintainer is quick with updates.
We're using forwarding as described in http://njabl.org/rsync.html :
zone "sbl-xbl.spamhaus.org" IN {
type forward;
forward first;
forwarders {
127.0.0.2;
};
};
... so it's kept private and fast, and coexists with our BIND that's
on 127.0.0.1. I had never previously had to figure out how to create
a loopback alias before in FreeBSD, but it works like a charm.
In short -- if they get DoSed, Slashdot will tell me before my mail farm
does, making me a less grumpy young sysadmin. :)
You can tell I was on vacation; sorry for the stale posts.
-royce
--
Royce D. WilliamsIP Engineering, ACS
work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531
personal: [EMAIL PROTECTED] http://www.tycho.org/royce/
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MD upgrade - how?
On 4/22/2004 4:26 AM, David F. Skoll wrote: On Thu, 22 Apr 2004, Michal Szymanski wrote: What is the recommended way of upgrading MD? Just do: ./configure && make make install I know this thread is stale, but I couldn't resist ... For some reason, I was expecting David to say, Install CanIT. :) (smiley would be his) -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] email wiretap (an additional twist).
Michael Sofka wrote: We're looking into Unified Messaging (Voice over IP) from Cisco, which makes voice mail (recorded phone calls) available by email. Making sereptitious copies of that email may be construed as a wiretap someday. Likewise, if one of your users has http://www.vonage.com/, Hmm. (waves large IANAL sign and medium-sized "I only speak for myself" banner) As I understand it, the message has to be "in transit" for it to be considered a wire tap. Our local law enforcement had to have a search warrant to get the contents of someone's mail spool, but a Federal wiretap order to get us to show them packet sniffing of inbound mail. In that context, someone's voice mail, having already arrived at the destination, would not require wiretap-grade authorization. A search warrant would be sufficient to get access to it. Ditto for email. In theory, this means that contents of mail queues might be construable as "in transit" in the same way that intercepting a USPS truck requires more than a search warrant (as I recall). Also, as I understand it, you have the right to monitor your own network and facilities. It's the rules/laws that govern disclosure to others that are the clincher. But again, I'm neither a lawyer nor speaking for anyone but me. :) -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] starting on freebsd 5.2.1
Ron Wilhoite wrote: I was wondering (yet another newbie question here) how people started mimedefang on freebsd 5.2.x ? Assuming mimedefang.sh and sendmail.sh you are good to go. man rc.d: o The scripts within each directory are executed in lexicographical order. This is entirely true in the 4.x releases; the 5.x use rcNG. Technically, you are correct for 5.x as well -- 5.x rc scripts are also executed in lexicographical order if there are no other controls (for backwards compatibility). While this happens to solve this instance of the problem (because mimedefang precedes sendmail lexicographically), this is a coincidence. The "right" way, IMO, is to use the rcNG dependency mechanism -- that's what it's there for. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] starting on freebsd 5.2.1
J.D. Bronson wrote: I was wondering (yet another newbie question here) how people started mimedefang on freebsd 5.2.x ? The new rc stuff -- dubbed "rcNG" -- is supposed to allow you to control start order. "man rc.subr" and "man rcorder" on a recent 5.x box. You can use keywords like "REQUIRE" and "BEFORE" to dictate the logical ordering that you want. It requires a little work to get it going, but more and more of the ports are switching over to using this method. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] RSS feed for mimedefang.org?
David, Is there an RSS feed for MIMEDefang? -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang as a mail gateway...?
Les Mikesell wrote: The best solution here is probably to put the users in LDAP and configure the outside mailer to use it but I haven't done that myself yet. I just periodically grep the logs for the rejections and stick the frequent ones into sendmail's access list with a REJECT on the outside machine. Whoops -- good catch. Forgot to mention that we're using the FreeBSD sendmail-ldap port and doing exactly what you're describing here. This is also not exactly trivial but is doable. It's only a couple of lines in the sendmail .mc file to point it at the right LDAP server, but the crafting of the query for user verification varies. You'll be looking for the following .mc items: FEATURE(ldap_routing) LDAPROUTE_DOMAIN_FILE (list of LDAP-handled domains) define(`confLDAP_DEFAULT_SPEC') -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang as a mail gateway...?
Jason Williams wrote: Hello everyone. I'm setting up a mail gateway server for our company that is going to have the following: FreeBSD 4.9 Sendmail 8.12.11 Latest versionof MIMEDefang Sole purpose is to scan all incoming mails for the company, clean them, then pass them off to the internal mail server. I wanted to know if there maybe any potential problems with this particular setup? Anything I should be aware of before I begin testing and setting up. We're currently running exactly the same on five boxes in a farm setup. Not counting the mail we reject at the sendmail level, we pass something on the order of 1M messages/day off to the back end mail servers. We've been very happy. Using FreeBSD's ports tree to keep current with with p5-Mail-SpamAssassin, p5-File-Scan, clamav, and the ports version of sendmail has made it very easy to stay current with little downtime and low maintenance overhead. Also, the defaults for clamav and SpamAssassin are adjusted slightly by the porter to be reasonable for a FreeBSD box in a more-than-low-volume environment. I do recommend using the ports version of sendmail -- easier to upgrade when a sendmail vulnerability is announced, and very well maintained by the same core FreeBSD folks that integrate sendmail into the stock install. It's a little tricky to set up (the doc for the port tells you what to do) but it's hands-off after the initial setup. Note that we're not yet on MIMEDefang 2.40 -- the ports tree hasn't absorbed it yet. Around the time that they update the port is around the time that I'm comfortable with most new things anyway, but YMMV. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Virus scanner order in v2.40
Aaron Paetznick wrote: initialize_virus_scanner_routines() defines a certain order of scanners, with File::Scan being first. For people who run ClamAV, it might be slightly more efficient to list clamd first before File::Scan, and the impact to non-ClamAV users would be zero. Thoughts? Since File::Scan is already loaded by MIMEDefang, it runs without having to call an external program. Without having any actual stats at hand, it seems reasonable to conclude that you get a lot of bang for the buck by having File::Scan make the first pass. -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] minor upgrade of clamav, email not being scanned...
Lee Dilkie wrote: Previously, I had run clamd as "mailnull", the same user that mimedefang runs as. But the new startup script that got installed used the user "clamav". So i left it at that and changed the mimedefang.pl to also look in a different location for the clamd socket. That all seems fine because like I said, if i disable clamd, mimedefang detects this and complains, tempfailing messages. What FreeBSD port did you upgrade from? You may want to identify that section and look at the FreeBSD port revision history, checking each of the changes that have happened since. It should make for a nice checklist of things that have changed. http://www.freshports.org/security/clamav/ -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Problem scanning ZIP archives with CLAMAV
Lucas Albers wrote: I've encounted this problem: clamscan will scan zip files and detect a virus. clamdscan will not. Bingo! I thought that I was just crazy and/or had a config problem. Does anyone know what causes the difference? -royce -- Royce D. WilliamsIP Engineering, ACS work: [EMAIL PROTECTED] PGP: 3FC087DB/1776A531 personal: [EMAIL PROTECTED] http://www.tycho.org/royce/ ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] base64-encoded vbscript .hta file withself-extra cting embeddedvirus
[EMAIL PROTECTED] wrote: I don't have any real expectation that Clam would be able to recognize this in its JS-hta-wrapped form, now that I understand it -- but I am interested in the idea that anyone can repackage an existing Trojan in this way and slip by most scanners. -royce I have to disagree with "most" here - MimeDefang's default filter includes hta in its list of bad extensions. I should have been more explicit -- s/scanners/virus scanners/g. David's comment about the uber-polymorphs certainly applies, though. :) -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] base64-encoded vbscript .hta file withself-extracting embeddedvirus
Lucas Albers wrote: Royce Williams wrote: Our customer base got hit today with a virus that slipped through via some wily obfuscation that I hadn't seen before. What it does, in a nutshell, is a base64-encoded .hta file that has VBScript in it to convert a long string of hex into a binary, store it in your system32 directory, and run it. This is only occuring, if you are NOT blocking hta extensions, correct. So blocking hta extensions removes this attack vector. You are not referring to hta files slipping by your hta filter? We differentiate between exe|com|bat|scr and the rest of the dangerous list, and hadn't put .hta in the "really bad" list. So blocking .hta outright wasn't happening. We're now defanging .hta -- oversight on my part. After unpacking and de-hexing this one, it did turn out to be Trojan.VBS.Inor.U, just like the one that Kris was getting, with the same "disconnect you in 24 hours" text. I don't have any real expectation that Clam would be able to recognize this in its JS-hta-wrapped form, now that I understand it -- but I am interested in the idea that anyone can repackage an existing Trojan in this way and slip by most scanners. -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] base64-encoded vbscript .hta file with self-extracting embedded virus
Our customer base got hit today with a virus that slipped through
via some wily obfuscation that I hadn't seen before. What it does,
in a nutshell, is a base64-encoded .hta file that has VBScript in it
to convert a long string of hex into a binary, store it in your
system32 directory, and run it. Full explication below (courtesy
of a VB guy in my office).
I'm running MIMEDefang 2.37, spamassassin 2.61,
clamav 0.60 and File::Scan 0.78, on FreeBSD 4.8.
Did I miss a thread on this, or has anyone seen it?
1.szBinary =
"4D5A93000400B8004000
EE1FBA0E00B409CD21B8014CCD21546869732070726F6772616D"
[ rest of hex redacted]
2.set WshShell = CreateObject("WScript.Shell")
3.set WshEnv = WshShell.Environment("Process")
4.szApplication = WshEnv("SystemRoot")&"\System32\usb_d2.exe"
5.Set hFSO = CreateObject("Scripting.FileSystemObject")
6.Set hFile = hFSO.CreateTextFile(szApplication, true)
7.intLength = len(szBinary)
8.intPosition = 1
9.while intPosition < intLength
10.char = Int("&H" & Mid(szBinary, intPosition, 2))
11.hFile.Write(Chr(char))
12.intPosition = intPosition+2
13.wend
14.hFile.Close
15.Set hShell=CreateObject("WScript.Shell")
16.hShell.run(szApplication)
1. Stores the hex values in a text string
2. Fires up the DOS shell
3. Find out if where your system folder is
4. create a "text" file in your system32 folder named "usb_d2.exe"
(could be randomized)
5. Fire up the FileSystem Object (to manipulate files)
6. open the "text" file for writing (the true)
7. find out how long the string is
8. set the position to the first character
9.while not end-of-string
10. find the hex value of the next two charcters
11. write the character that is represented by the hex value to the
text file
12. go to the next set of hex characters
13. end while loop
14. close the file
15. open the DOS shell again (sloppy code, they can reuse the first one)
16. execute the file
-royce
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] "Deep recursion on subroutine" in MIME::Parser - how to trace?
My original motive for posting resides within the subject line -- how can I tell which connection is the one that caused the failure? Since the error returned by sendmail when the milter dies is a 4.7.1, the message that's trying to be delivered keeps killing my slaves. Still trying to track down what's causing the deaths. Even though it appears that I've got a patched MIME-Tools and have MaxMIMEParts enabled, I still get this error on my test box that I'm trying to track down: Jan 13 12:54:43 zuul mimedefang-multiplexor: Slave 0 stderr: Can't locate object method "max_parts" via package "MIME::Parser" (perhaps you forgot to load "MIME::Parser"?) at /usr/local/bin/mimedefang.pl line 4640. -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] "Deep recursion on subroutine" in MIME::Parser - how to trace?
Alexander Dalloz wrote: MIME::Parser is part of the perl-MIME-tools. Did you install the version patched by David? It's available throuh www.mimedefang.org. I'm using the FreeBSD port p5-MIME-Tools-5.411a_3,1 -- which in theory incorporated David's patches back on 06/05/2002: $ grep "Do RFC 2231" /usr/local/lib/perl5/site_perl/5.6.1/MIME/Field/ParamVal.pm # Do RFC 2231 processing I've verified that this copy of ParamVal is the only one on the box. Or you might run into a situation for which following is in the mimedefang-filter (commented out): [snip] # $MaxMIMEParts = 50; Alexander After uncommenting this, I restarted everything and I now get this if I send a message with lots of tiny attachments through my devel box: Jan 13 09:47:10 zuul mimedefang-multiplexor: Slave 0 stderr: Can't locate object method "max_parts" via package "MIME::Parser" (perhaps you forgot to load "MIME::Parser"?) at /usr/local/bin/mimedefang.pl line 4640 -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] "Deep recursion on subroutine" in MIME::Parser - how to trace?
Royce Williams wrote: A problem cropped up for me this weekend. I have slaves consistently dying with a "Deep recursion on subroutine" error in MIME::Parser: Silence from the list usually either means "you're clueless, buddy" or "too weird/one-off/complex to bother with". :) Guessing the former, I dug more and found the mimedefang-filter MaxMIMEParts variable. Almost simultaneously, Doug wrote back to me and said that this fixed the error for him. Should this be a FAQ entry? I'd be happy to write one. -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] "Deep recursion on subroutine" in MIME::Parser - how to trace?
A problem cropped up for me this weekend. I have slaves consistently dying with a "Deep recursion on subroutine" error in MIME::Parser: 07:36:20 hermod mimedefang-multiplexor: Slave 15 stderr: Deep recursion on subroutine "MIME::Parser::process_part" at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 713, line 3774. 07:36:20 hermod mimedefang-multiplexor: Slave 15 stderr: Deep recursion on subroutine "MIME::Parser::process_part" at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 713. 07:36:22 hermod mimedefang-multiplexor: Slave 15 stderr: Deep recursion on subroutine "MIME::Parser::process_multipart" at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 1013, line 7597. 07:36:22 hermod mimedefang-multiplexor: Slave 15 stderr: Deep recursion on subroutine "MIME::Parser::process_message" at /usr/local/lib/perl5/site_perl/5.6.1/MIME/Parser.pm line 1021, line 7662. 07:36:23 hermod mimedefang-multiplexor: Slave 15 stderr: Out of memory! 07:36:23 hermod mimedefang-multiplexor: Slave 15 ran out of memory -- possible DoS attack due to complex MIME? 07:36:23 hermod mimedefang-multiplexor: Reap: Idle slave 15 (pid 77873) exited normally with status 1 (SLAVE DIED UNEXPECTEDLY) I'm running MD 2.38 on FreeBSD 4.8 with File::Scan 0.78 and clamav-0.60. Does anyone know how else I could try to track this one down? I see that Doug Hunley had this problem last year, but don't see any replies. http://lists.roaringpenguin.com/pipermail/mimedefang/2002-June/010239.html -royce ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
