[Mimedefang] Block executables in 7Z archive - solution
We're getting a lot of trojan executables in 7Z archives lately. Like
this one:
https://www.virustotal.com/pl/file/8f766ccb4821488c8b34abda0d472e627dba6f1d261073852e079c66313a9f11/analysis/
I've added a code to my mimedefang-filter based on
suggested-minimum-filter-for-windows-clients in filter_bad_filename
which tests for this. I'd like to share:
# Look inside 7Z files
if (re_match($entity, '\.7z$') ) {
my $bh = $entity->bodyhandle();
if (defined($bh)) {
my $path = $bh->path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( "7za l -slt -bd -p -y -- $path" );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
return 1 if $VirusScannerMessages =~ /$re/im;
}
}
}
This requires 7za program (from p7zip package) installed on server. This
will also block 7z archives with encrypted filenames.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 16:10, Dianne Skoll wrote: However, you're right... MIMEDefang is not picking up the attachment name. I will look into it. Actually, I'm wrong... in CanIt, we do pick up the attachment name by using $entity-head-recommended_filename. I have no idea why it's not working for you; this is very mysterious. I've found the cause - I have outdated MIME-tools. Distributions I use, CentOS 6 and CentOS 5 (clones of RHEL 6 and 5), provide very outdated MIME-tools 5.427. In 5.505 Changelog from 2013-11-14 there's: * Fix bug in header parsing that would fail to parse a header like: Content-Type: ; name=malware.zip I've managed to work around this without conflicting with system's package management like this: # Downloaded latest version of MIME-tools # from http://search.cpan.org/~dskoll/MIME-tools/ to /tmp/ # Extracted it: cd /tmp; tar xf MIME-tools-*.tar.gz; cd MIME-tools-* # Created a directory for updated MIME-tools module: mkdir /etc/mail/mimedefang-lib # Installed the module: perl Makefile.PL INSTALL_BASE=/etc/mail/mimedefang-lib/ make install # Added module path to search path in mimedefang run script echo export PERL5LIB=/etc/mail/mimedefang-lib/lib/perl5/ \ /etc/sysconfig/mimedefang # Restarted mimedefang: service mimedefang restart This might be useful for other RHEL/CentOS/Scientific/Oracle Linux users. Thank you, Dianne, for your help. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 16:06, Kevin A. McGrail wrote: Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm]. I think this resolution is unsustainable - this technique might get popular fast if this proves to foul filters. (...) MD is open-source and the enemy is the bastard spammers/malware authors. Don't attack people trying to help, donating their time and giving you possible solutions. Instead you might consider thanking them, providing feedback or even taking a swipe at the code and post a patch. I'm very sorry if I've written something rude - I didn't mean to. English isn't my primary language - I might have failed to convey a tone of my statement. I just wanted to report this to mailing list because I was afraid that other users could have their network compromised if they used similar setup. Thanks to Dianne's test on her systems I was able to find the cause, which was outdated perl module. I've shared my solution in a follow-up email. I really think MIMEdefang is an awesome, very powerful software. It's protecting my non-profit foundation for more than 10 years. Thank you. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 15:13, Dianne Skoll wrote: I've just received a trojan/exploit attachment with CHM extension, which should be filtered by MIMEdefang but wasn't. Well, it surely depends on your filter? My filter is depending on re_match function provided by MIMEdefang. Also suggested-minimum-filter-for-windows-clients is using it. Mimedefang-filter man page says: re_match returns true if any of the fields [Content-Disposition.filename, Content-Type.name and Content-Description] matches the regexp without regard to case. In my example Content-Type should match, but it doesn't because it is probably deliberately broken enough to avoid detection by security products. But not enough to not work in Email clients. Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm]. I think this resolution is unsustainable - this technique might get popular fast if this proves to foul filters. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Missed executable attachments with empty Content-Type
I've just received a trojan/exploit attachment with CHM extension, which should be filtered by MIMEdefang but wasn't. This attachment was send in a MIME part with broken header: Content-Type: ; name=SecureMessage.chm Content-Transfer-Encoding: base64 Content-Disposition: attachment; name=SecureMessage.chm Please notice empty Content-Type in above header. Because of empty content type my mail client (Thunderbird) displayed it as garbage, but also defaulted to to save it as a file with original name SecureMessage.chm. Opening it would compromise a system, as it isn't recognized as a virus by most antivirus programs yet: https://www.virustotal.com/en/file/467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670/analysis/ I've retested it changing extension to EXE and it was also allowed. I'm attaching the whole message (beware, contains virus) in 7z archive with password infected. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh NatWest Secure Message.7z Description: application/7z-compressed ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On 2014-09-10 16:29, David F. Skoll wrote:
Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670:
d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA-v6
I've recently configured fail2ban on my CentOS5 server with blocking
based solely on this line:
Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834:
cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue
MAIL/EXPN/VRFY/ETRN during connection to MTA
Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf:
# Fail2Ban filter for sendmail authentication failures
#
[INCLUDES]
before = common.conf
[Definition]
_daemon = sendmail
failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[HOST\]( \(may be
forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$
ignoreregex =
And created /etc/fail2ban/jail.local:
[DEFAULT]
ignoreip = 127.0.0.0/8 192.168.0.0/16
usedns = no
[ssh-iptables]
enabled = false
[smtp]
enabled = true
filter = smtp
action = iptables-multiport[name=sendmail-auth, port=submission,465,smtp,
protocol=tcp, blocktype=DROP]
logpath = /var/log/maillog
Then simply run:
# chkconfig fail2ban on
# service fail2ban start
And bruteforce attacks slowed considerably. I think this would work also
for CentOS/RHEL6 with no modifications.
I assumed that no legitimate client would connect with not issuing
MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to
trigger a ban.
There could be problem if some user would try to login with bad password
more than twice in 5 minutes - he would not be able to send mail for an
hour.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.72-BETA-2 is available
On 2011-06-20 19:35, David F. Skoll wrote: I've released MIMEDefang 2.72-BETA-2 I've a configure.in bug to report, which was also present in older versions. In pure 64 bit Linux environment libmilter.a is in /usr/lib64/ directory, but configure only searches for /usr/lib/, so it fails with the following message if 32bit libraries are not installed: configure: WARNING: Oops.. I couldn't find libmilter.a or libmilter.so. Please install Sendmail configure: WARNING: and its libraries. You must run Build in the libmilter/ directory configure: WARNING: to compile libmilter. I'm attaching a proposed patch, which isn't perfect but I think should be good enough. I think a proper fix would be to use AC_SEARCH_LIBS instead of AC_CHECK_PROG, but I can not test it for portability. Also unstripped Makefile target disappeared. This target was useful for example for rpm packagers, as it allowed for automatic building of debuginfo packages, which contain debugging symbols for programs and aren't installed by default but only as needed. This change isn't mentioned in the Changelog. For other packagers: I was able to work around this by adding INSTALL_STRIP_FLAG= to make install. Please also mention in the Changelog changing a name of Makefile variable RPM_INSTALL_ROOT to DESTDIR, as it is also used by packagers. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh diff -urNP mimedefang-2.68.orig/configure.in mimedefang-2.68/configure.in --- mimedefang-2.68.orig/configure.in 2010-02-22 16:50:09.0 +0100 +++ mimedefang-2.68/configure.in2010-03-02 21:16:17.413499226 +0100 @@ -663,12 +663,12 @@ SMPATH=`echo ../sendmail-*/obj.*/libmilter` old_as_test_x=$as_test_x as_test_x='test -e' -AC_PATH_PROG(LIBMILTER, libmilter.a, no, $MILTERLIB:$SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBMILTER, libmilter.a, no, $MILTERLIB:$SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) SMPATH=`echo ../sendmail-*/obj.*/libsm` -AC_PATH_PROG(LIBSM, libsm.a, no, $SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBSM, libsm.a, no, $SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) dnl find libmilter.so in case we have shared libraries -AC_PATH_PROG(LIBMILTERSO, libmilter.so, no, $MILTERLIB:$SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBMILTERSO, libmilter.so, no, $MILTERLIB:$SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) as_test_x=$old_as_test_x dnl find Sendmail ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Fri, 24 Nov 2006, Kees Theunissen wrote: There is a small problem with this approach - Bayes database do not learn phrases and words used in e-mail sent by your own users. Is that a problem if you don't scan these messages anyway? You scan replies. And your friends / customers do use phrases that you do. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Wed, 22 Nov 2006, Philip Prindeville wrote:
if (
$Features{SpamAssassin}
$SendmailMacros{'daemon_name'} ne 'TLSMTA'
)
I use:
if (
$Features{SpamAssassin}
(!defined($SendmailMacros{'auth_type'}))
($RelayAddr ne 127.0.0.1)
)
This 'auth_type' check was suggested on this list some time ago. This
is more portable than 'deamon_name' check.
And if a message is already on my server I assume it is not spam.
There is a small problem with this approach - Bayes database do not
learn phrases and words used in e-mail sent by your own users.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SPF
On Sun, 05 Nov 2006, David F. Skoll wrote: SPF breaks forwarding, which is very annoying. It does not if it is set to use forwarded address in envelope. I'm doing forwarding in procmail. This is a fragment of my script: # VACATION_PRIMARY_ADDRESS=[EMAIL PROTECTED] VACATION_PRIMARY_ADDRESS_REGEX=`echo $VACATION_PRIMARY_ADDRESS | sed -e 's:[\.\+]::g'` VACATION_FORWARD=[EMAIL PROTECTED] :0 c * ! ^FROM_DAEMON * $ ! ^X-Loop: $VACATION_PRIMARY_ADDRESS_REGEX | formail -A X-Loop: $VACATION_PRIMARY_ADDRESS -i Return-Path: | \ $SENDMAIL -f$VACATION_PRIMARY_ADDRESS -oi $VACATION_FORWARD # This way the sender will not get a bounce with unknown address if forward destination is broken. For folks on the road, there are plenty of workable solutions. We use OpenVPN, which works well if both ends are running Linux. Because of deficiencies in Windoze's TUN implementation, it's a bit more painful to get it working on that platform, but we managed it. It is much easier to use submission port + starttls or smtps. Both do not use smtp port which is often blocked. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEdefang RPM in Fedora Extras repository
RPM version of MIMEdefang mimedefang-2.57-4.fc5.*.rpm showed in Fedora Extras 5 repository. This means that it will be automatically updated by nightly yum update if mimedefang was installed from RPM. This version does not have any antivirus functionality compiled in. So this may make your system less secure. If you use any antivirus and mimedefang rpm you'd better disable it's automatic updates by adding: exclude=mimedefang to your /etc/yum.conf. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mimedefang in endless loop (socketpair)
I've got two mimedefang 2.56 processes hanged in endless loop (in running state). I'll have to kill this processes but I want to send you information I'm able to gather about them in case it can be useful for finding a bug. A command strace -p [PID] of processes shows endless stream of socketpair(PF_??? (0x4001c14c), SOCK_??? (0), , 3175087548, [1, 1]) = 0 lines. lsof -p [PID] of one of them shows 21 open /var/spool/MIMEDefang/mimedefang.sock files and also open /var/spool/MIMEDefang/mdefang-k4MDkN1J014281/HEADERS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkN1J014281/COMMANDS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNAw014242/HEADERS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNAw014242/COMMANDS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/HEADERS /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/COMMANDS /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/HEADERS is empty and /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/COMMANDS looks like this S sSIZE=3019 =_ smtp11.wanadoo.fr%20[193.252.22.31] =daemon_name MTA =i k4MDkNfs014278 =if_addr 62.89.72.200 =if_name statek.batory.org.pl =j statek.batory.org.pl =mail_addr =mail_host =mail_mailer local Qk4MDkNfs014278 Hsmtp11.wanadoo.fr I193.252.22.31 Esmtp11.wanadoo.fr R[EMAIL PROTECTED] local ? l Corresponding /var/log/maillog entries look like this: May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: from=, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: [EMAIL PROTECTED]... User unknown May 22 15:46:31 statek sendmail[14242]: k4MDkNAw014242: from=, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:31 statek sendmail[14242]: k4MDkNAw014242: [EMAIL PROTECTED]... User unknown May 22 15:46:23 statek sendmail[14278]: k4MDkNfs014278: from=, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:23 statek sendmail[14278]: k4MDkNfs014278: [EMAIL PROTECTED]... User unknown My filter (it is customized and hacked filter based on suggested-minimum-filter-for-windows-clients 1.87): http://ludzie.batory.org.pl/~tometzky/mimedefang/mimedefang-filter It does not use SpamAssassin. perl-5.8.3 sendmail-8.13.6 This is on an ancient linux-2.2.27-rc2 on libc-5 so it can just be a system fault - I'm slowly migrating this to a newer system but this is a big pain because of lots of libc-5 / python-1.4, no-source-available custom software. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang in endless loop (socketpair)
On Tue, 23 May 2006, Paul Murphy wrote: May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: from=, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: [EMAIL PROTECTED]... User unknown Looks like normal activity - someone sending via the Wanadoo server in France is attempting to send you lots of mail for an unknown user, and your system is correctly processing them and returning the user unknown error. I know. But this should not cause a MIMEdefang process to hang using all cpu power it can have for a day (until I've killed it). Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://rainbow.mimuw.edu.pl/~tometzky/humor/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New to MIMEDEFANG
On Wed, 29 Mar 2006, Richard Laager wrote: On Wed, 2006-03-29 at 10:19 +0530, R.Linga Reddy wrote: I am new to MIMEDEFANG, I am planing to install on FEDORA CORE 3 or CORE 4, will it support, and is there any problem, It'll work fine. I run it on Fedora Core 4. It will work but I do not recommend FC3 because it has too old perl and you'll need to do some magic. Also Fedora 4 does have all required perl modules either in core or in extras. Also FC3 is not maintained anymore (other than security patches) so just use FC4 or FC5. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Writing to an MBOX file
On Tue, 21 Mar 2006, Damrose, Mark wrote: I think the From line needs a little bit more info. I ran into problems with a Mailman archive when I fed it to Dovecot, my IMAP server, because it didn't like the abbreviated From line. It thought the whole file was one big message. Looking at one of my mbox files, it appears that a datestamp is needed on the end of the line. If you're going to write it yourself, you also need to worry about From_ quoting. See http://www.qmail.org/man/man5/mbox.html and http://homepages.tesco.net./~J.deBoynePollard/FGA/mail-mbox-formats.html Or just pipe INPUTMSG to procmail -d defang. And you'd not need to worry about locking, From lines, ^From quoting etc. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://rainbow.mimuw.edu.pl/~tometzky/humor/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Wed, 01 Mar 2006, David F. Skoll wrote: Sendmail has every reason to assume that if an SMTP client has a broken implementation of the state machine on one message attempt, it probably will break on every attempt, so why tempfail? This assumption would be wrong. This could be true if there were not temporary failure on rcpt before - then every other attempt would indeed be the same so there's no reason to bother with 4xx. But if there's temporary failure then it should be assumed that the conditions can change and next time there'll be no reason to tempfail. RFC2821: A rule of thumb to determine whether a reply fits into the 4yz or the 5yz category (see below) is that replies are 4yz if they can be successful if repeated without any change in command form or in properties of the sender or receiver (that is, the command is repeated identically and the receiver does not put up a new implementation.) In this case if commands are repeated identically then they can be successful, hence proposed 4xx response. I'm going to send a feature request to [EMAIL PROTECTED]. True; if bandwidth is a scarce resource, this could be an issue. It isn't for us, and I suspect it isn't for most people -- I doubt e-mail uses the majority of bandwidth at most organizations. You're right. Although e-mail is often misused for file transfer - ooh, a cool mpeg, let's e-mail it to all my friends. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Fri, 03 Mar 2006, Tomasz Ostrowski wrote: I'm going to send a feature request to [EMAIL PROTECTED]. - Forwarded message - From: Tomasz Ostrowski [EMAIL PROTECTED] Subject: RFE: Tempfail data when at least one rcpt to tempfailed and none accepted To: [EMAIL PROTECTED] Date: Fri, 3 Mar 2006 10:51:52 +0100 I'd like to ask for considering my proposal - that data requests would be temporarily rejected (4xx) instead of permanently rejected, when at least one rcpt to request was temporarily rejected and no rcpt to request was accepted. The developer or MIMEdefang milter (http://www.mimedefang.org/), David F. Skoll dfsatroaringpenguin.com said on its mailing list that it has implemented greylisting in a way that tempfails after data, not after rcpt to command. The reasoning was: | Now, there *are* some marginal SMTP servers that fail in the | following scenario: | | C: HELO myname.domain.com | S: 250 whatever | C: MAIL FROM:[EMAIL PROTECTED] | S: 250 2.1.0 go ahead | C: RCPT TO:[EMAIL PROTECTED] | S: 451 4.7.1 greylisting; try in 2 minutes | C: DATA | S: 503 5.0.0 need RCPT! | | (and client bounces message) | | Notice that? Some marginal clients attempt a DATA even if all | RCPTs are 4xx'd. Our solution is to greylist after the DATA phase | (that is, at the .) While this wastes bandwidth, it does keep | those marginal SMTP implementations from failing. I said that: | This could be avoided if sendmail would tempfail data requests if | any rcpt to request tempfailed and every rcpt to request | tempfailed or permfailed. David did not like this, because: 1. Sendmail has a right to reject after data phase, because RFC states, that at least one recipient must be accepted when a client sends data. I agree, but it also has a right to tempfail. 2. Sendmail can assume that if a client has broken implementation which caused this failure, then every subsequent attempts will also fail, so there's no reason to tempfail. I do not agree - if there's temporary failure then it should be assumed that the conditions can change and next time there'll be no reason to tempfail. If commands are repeated identically then they can be successful, hence proposed 4xx response. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh - End forwarded message - ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Sun, 26 Feb 2006, David F. Skoll wrote: Now, there *are* some marginal SMTP servers that fail in the following scenario: C: HELO myname.domain.com S: 250 whatever C: MAIL FROM:[EMAIL PROTECTED] S: 250 2.1.0 go ahead C: RCPT TO:[EMAIL PROTECTED] S: 451 4.7.1 greylisting; try in 2 minutes C: DATA S: 503 5.0.0 need RCPT! (and client bounces message) This could be avoided if sendmail would tempfail data requests if any rcpt to request tempfailed and every rcpt to request tempfailed or permfailed. Maybe a small patch for sendmail would do it. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Wed, 01 Mar 2006, David F. Skoll wrote: This could be avoided if sendmail would tempfail data requests if any rcpt to request tempfailed and every rcpt to request tempfailed or permfailed. But the RFC says that an SMTP client MUST NOT issue a DATA command unless at least one RCPT succeeded, so Sendmail is within its rights to issue a 5xx failure code. Of course. But it is also within its rights to issue 4xx. And if it makes it more reliable then why not? This would not encourage the developers of broken servers to fix them or administrators to migrate. But it could be better than tempfailing after data because tempfailing rcpt to sometimes does not work - it will not waste bandwidth. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.55-BETA-2 is available
On Mon, 16 Jan 2006, [EMAIL PROTECTED] wrote: *** NOTE INCOMPATIBILITY *** filter_begin NOW TAKES ONE ARGUMENT, NOT ZERO. IF YOUR FILTER HAS A PROTOTYPE FOR filter_begin, YOU SHOULD FIX OR REMOVE THE PROTOTYPE There'd be nice to have an example here. Not knowing perl very much I would not understand Fix or remove the prototype without an example from your previous post on this. That means that in mimedefang-filter you have a sub function that looks like this: sub filter_begin() then you should change that to sub filter_begin($) or sub filter_begin I already know what this means. But it is only because I did read previous David's message. I'm just saying that this INCOMPATIBILITY note should be more verbose and give an example for those, who do not know perl very well and will not understand this. I'm not very good in english so I'm sorry if I said something wrong and I was not understandable. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Thu, 10 Nov 2005, David F. Skoll wrote:
- There is no way to see a lone LF from milter.
Seems that it's no problem, because this should be a case also for
local mailer on unices. At least procmail saves files with bare
LF.
Does anybody use sendmail on MacOSX (unix to be or not unix to be) or
Windows to check it there?
- There IS a way to see a lone CR.
So I'd propose something like:
/* after message_contains_virus() */
if ($SuspiciousCharsInBody) {
action_rebuild();
}
But then we should recheck rebuilt message for viruses - in case the
virus program has problems with bare cr. I don't know how to do
this (message_contains_virus() on modified message). Of course we
don't need to recheck attachments of this message (we build it so
we're sure there won't be anything unexpected) - only the message as
a whole.
Pozdrawiam
Tometzky
--
Best of prhn - najzabawniejsze teksty polskiego UseNet-u
http://prhn.dnsalias.org/
Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany.
[ Terry Pratchett ]
___
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list
MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Wed, 09 Nov 2005, Jan Pieter Cornet wrote: However, you're ALSO removing lone CRs in the process, CR characters that a MUA will see, and might react upon (it might even trigger a bug in the MUA... a bug which is scanned for in some virus scanner, but that fails to detect it because the CR characters aren't there. This is speculation, however). I remember a post to bugtraq that dealt with this as a security problem - I cannot google it though right now. There is a client software that treated bare cr and bare lf like crlf but an antivirus gateway did not and haven't found an included virus. In that post there were 2 possible solutions: 1. reject bare cr and bare lf on the wire - not acceptable because of crappy SMTP software; 2. modify a message at gateway converting all bare cr's and bare lf's to crlf, so we're sure that every software will treat this in the same way - this violates RFC (modifies a message at gateway) but it's not a problem with a message that already violates RFC. It would be nice for mimedefang to follow this second approach - every message violating crlf should be converted before checking attachment names, using virus scanners or spamassassin and should be returned to sendmail also converted. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEdefang on CPAN? or in RPM form?
On Tue, 28 Dec 2004, Les Mikesell wrote: On Sat, 2004-12-25 at 18:47, Gary Funck wrote: I'm about ready to install MIMEdefang, and was wondering if MIMEdefang is available on CPAN, or available in RPM form? Dag Wieers has it packaged for redhat/fedora (along with about every other program known to man...). http://dag.wieers.com/packages/mimedefang/ But his packages are seriously outdated and recent versions of MimeDefang had some security related issues corrected. I've annouced here before my set of updated RPMs, based mostly on Dag's: http://prhn.dnsalias.org/~tometzky/mimedefang/perl-Convert-BinHex-1.119-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-Base64-3.05-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-IO-stringy-2.109-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MailTools-1.65-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-tools-5.415-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/mimedefang-2.49-1t.src.rpm Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fedora 2 upgrade issues
On Tue, 14 Dec 2004, Kenneth Porter wrote: I figured I'd take a crack at updating to the latest MD, and started by trying to update MIME-tools. I immediately run into the problem that it wants a new MIME::QuotedPrint but Red Hat, in their infinite wisdom (rolls eyes) have decided to bundle this package in the main Perl package. I've made RPM packages of needed modules for my Fedora Core 3 system: http://prhn.dnsalias.org/~tometzky/mimedefang/perl-Convert-BinHex-1.119-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-Base64-3.05-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-IO-stringy-2.109-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MailTools-1.65-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-tools-5.415-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/mimedefang-2.49-1t.src.rpm They should work on Fedora 1-3 or any Fedora-like RPM-based system. They are mostly based on outdated Dag Wieers packages (http://dag.wieers.com/packages/). Please compile (rpmbuild --rebuild) and install in above order. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porzdek, gdy jest lepiej zorganizowany. [ Terry Pratchett ] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mimedefang.c:1721: structure has no member named `sin_addr'
I've an old, Libc-5 based, Linux system with mimedefang. When I tried
to compile mimedefang-2.49 I got the following message:
mimedefang.c: In function `main':
mimedefang.c:1721: structure has no member named `sin_addr'
make: *** [mimedefang.o] Error 1
It looks like the code used when a system does not have inet_ntop()
is broken. At least when I changed it, like you can see in attached
patch, it compiled and looks like it works.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
diff -urP mimedefang-2.49.orig/mimedefang.c mimedefang-2.49/mimedefang.c
--- mimedefang-2.49.orig/mimedefang.c Wed Nov 24 21:59:17 2004
+++ mimedefang-2.49/mimedefang.cMon Nov 29 18:57:24 2004
@@ -1718,7 +1718,7 @@
}
#else
{
- char *s = inet_ntoa(in.sin_addr);
+ char *s = inet_ntoa(in);
if (s *s) MyIPAddress = strdup_with_log(s);
}
#endif
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] JPEG exploit checking in mimedefang-filter
I have written a quick and dirty checking for corrupt jpeg files in
mimedefang-filter. It uses program djpeg, which should be in most
Linux and Unices distributions, to convert the file to bitmap writing
in /dev/null. It lets the file in, if it manages to successfully convert
it, or rejects it otherwise.
It should catch the latest JPEG virus. At least it catches the sample
I have found here:
http://www.easynews.com/virus.html
###
# New function: check for corrupted JPEG files
sub filter_corrupt_jpeg ($) {
my($entity) = @_;
if (re_match($entity, '\.jp(e?)g$') ) {
my $bh = $entity-bodyhandle();
if (defined($bh)) {
my $path = $bh-path();
if (defined($path)) {
my($code, $category, $action) =
run_virus_scanner( djpeg -fast -dither none -grayscale -scale 1/8
-outfile /dev/null $path );
if ($action ne 'proceed') {
return $code;
}
if ($code) {
return $code;
}
}
}
}
return 0;
}
###
###
# This should go in filter() function
if (filter_corrupt_jpeg($entity)) {
md_graphdefang_log('corrupt_jpeg', $fname, $type);
action_bounce(Access denied. Corrupt file $fname not allowed., 554,
5.7.1);
return action_discard();
}
###
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIME-Base64-3.03 and Fedora Core, possibly other Linux distributions
From mimedefang-2.45 README: | 4. MIME-BASE64 NOTE | --- | | Version 5.113 or higher of MIME::Tools requires MIME::Base64 version | 3.03 or higher. Many Linux distributions include an old version | of MIME::Base64 in the core Perl distribution. In order to | install a new version of MIME::Base64 without upsetting your Linux | updating tools (like up2date or the equivalent), you should download | MIME::Base64 3.03 or newer and build as follows: | | tar xvfz MIME-Base64-VERSION.tar.gz | cd MIME-Base64-VERSION | perl Makefile.PL INSTALLDIRS=site | make | make install This does not work - core Perl MIME-Base64 is used anyway because Fedora Core and, I suppose, other linux distributions have site-perl directories after core Perl directories in @INC: | $perl -e 'use foo;' | Can't locate foo.pm in @INC (@INC contains: | /usr/lib/perl5/5.8.3/i386-linux-thread-multi ^^ this is where core MIME::Base64 is | /usr/lib/perl5/5.8.3 | /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi ^^ this is where MIME::Base64 3.05 will be installed | /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 | /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 | /usr/lib/perl5/site_perl | /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 | /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 | /usr/lib/perl5/vendor_perl .) at -e line 1. | BEGIN failed--compilation aborted at -e line 1. It's impossible to install MIME::Base64 3.05 without breaking Perl package and it is impossible to creating MIME::Base64 package. The only way to do it right is creating new Perl package with bundled MIME::Base64 3.05. I'd suggest, if it is possible, to rewrite MIME::tools that it will not depend on MIME::Base64 3.05 until major linux distributions include it. I know that MIME::tools maintainer is also from RoaringPenguin. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, David F. Skoll wrote: On Wed, 24 Mar 2004, Tomasz Ostrowski wrote: I'd advocate so action_notify_sender is removed as well - because over 99% virus e-mail come with forged return address. There's an interlock that disables action_notify_sender if a virus is detected. Check the mimedefang.pl source. :-) Nice :-) Unfortunately for this to work there has to be good antivirus program on the server. And silent discard violates SMTP RFC... Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Blocking RAR viruses
I've modified mimedefang-filter.example so it blocks RAR files with
executables. It uses freeware unrar program, which source and
binaries can be downloaded from RARLAB:
http://www.rarlab.com/rar_add.htm
Patch follows.
It blocks Beagle worm password protected RAR files.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
--- mimedefang-filter.example Tue Mar 16 10:53:37 2004
+++ mimedefang-filter Fri Mar 19 14:14:40 2004
@@ -116,6 +116,25 @@
}
}
}
+
+# Look inside RAR files
+if (re_match($entity, '\.r(ar|[0-2][0-9])$') ) {
+ my $bh = $entity-bodyhandle();
+ if (defined($bh)) {
+ my $path = $bh-path();
+ if (defined($path)) {
+ my($code, $category, $action) =
+ run_virus_scanner( unrar lb $path );
+ if ($action ne 'proceed') {
+ return $code;
+ }
+ if ($code) {
+ return $code;
+ }
+ return 1 if $VirusScannerMessages =~ /$re/i;
+ }
+ }
+}
return 0;
}
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Blocking ZIP viruses
I've modified mimedefang-filter so it blocks ZIP files with
executables. I't ugly as hell (I do not know perl - it's copy-paste
programming) but it works. It uses zipinfo command to extract
filenames. Have a look at the diff below.
It blocks all recent Mydoom mails.
Regards
Tometzky
--
...although Eating Honey was a very good thing to do, there was a
moment just before you began to eat it which was better than when you
were...
Winnie the Pooh
--- mimedefang-filter.orig Tue Jan 27 16:45:56 2004
+++ mimedefang-filter Tue Jan 27 16:49:42 2004
@@ -148,6 +148,46 @@
return (wantarray ? (0, 'ok', 'ok') : 0);
}
+sub zip_filter_bad_filename ($) {
+my($entity) = @_;
+unless ( re_match($entity, '\.' . 'zip' . '\.*([^-A-Za-z0-9_.,]|$)') ) {
+return 0;
+}
+
+my($body) = $entity-bodyhandle;
+if (!defined($body)) {
+return 0;
+}
+
+# Get filename
+my($path) = $body-path;
+if (!defined($path)) {
+return 1;
+}
+
+# Run zipinfo
+my($code, $category, $action) =
+run_virus_scanner( zipinfo $path );
+if ($action ne 'proceed') {
+return $code;
+}
+if ($code) {
+return $code;
+}
+
+# Bad extensions
+$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})';
+
+# Do not allow:
+# - CLSIDs {foobarbaz}
+# - bad extensions (possibly with trailing dots) at end or
+# followed by non-alphanum
+$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
+return 1 if $VirusScannerMessages =~ /$re/i;
+
+return 0;
+}
+
#***
# %PROCEDURE: filter_begin
# %ARGUMENTS:
@@ -243,6 +283,12 @@
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_quarantine($entity, An attachment named $fname was removed from
this document as it\nconstituted a security hazard. If you require this document,
please contact\nthe sender and arrange an alternate means of receiving it.\n);
+}
+
+if (zip_filter_bad_filename($entity)) {
+md_graphdefang_log('bad_filename', $fname, $type);
+action_bounce(Access denied. Archive $fname with not allowed file(s).,
554, 5.7.1);
+return action_discard();
}
# eml is bad if it's not multipart
___
Visit http://www.mimedefang.org and http://www.canit.ca
MIMEDefang mailing list
[EMAIL PROTECTED]
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
