[Mimedefang] Block executables in 7Z archive - solution
We're getting a lot of trojan executables in 7Z archives lately. Like this one: https://www.virustotal.com/pl/file/8f766ccb4821488c8b34abda0d472e627dba6f1d261073852e079c66313a9f11/analysis/ I've added a code to my mimedefang-filter based on suggested-minimum-filter-for-windows-clients in filter_bad_filename which tests for this. I'd like to share: # Look inside 7Z files if (re_match($entity, '\.7z$') ) { my $bh = $entity->bodyhandle(); if (defined($bh)) { my $path = $bh->path(); if (defined($path)) { my($code, $category, $action) = run_virus_scanner( "7za l -slt -bd -p -y -- $path" ); if ($action ne 'proceed') { return $code; } if ($code) { return $code; } return 1 if $VirusScannerMessages =~ /$re/im; } } } This requires 7za program (from p7zip package) installed on server. This will also block 7z archives with encrypted filenames. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 16:10, Dianne Skoll wrote: However, you're right... MIMEDefang is not picking up the attachment name. I will look into it. Actually, I'm wrong... in CanIt, we do pick up the attachment name by using $entity->head->recommended_filename. I have no idea why it's not working for you; this is very mysterious. I've found the cause - I have outdated MIME-tools. Distributions I use, CentOS 6 and CentOS 5 (clones of RHEL 6 and 5), provide very outdated MIME-tools 5.427. In 5.505 Changelog from 2013-11-14 there's: * Fix bug in header parsing that would fail to parse a header like: Content-Type: ; name="malware.zip" I've managed to work around this without conflicting with system's package management like this: # Downloaded latest version of MIME-tools # from http://search.cpan.org/~dskoll/MIME-tools/ to /tmp/ # Extracted it: cd /tmp; tar xf MIME-tools-*.tar.gz; cd MIME-tools-* # Created a directory for updated MIME-tools module: mkdir /etc/mail/mimedefang-lib # Installed the module: perl Makefile.PL INSTALL_BASE=/etc/mail/mimedefang-lib/ make install # Added module path to search path in mimedefang run script echo export PERL5LIB=/etc/mail/mimedefang-lib/lib/perl5/ >> \ /etc/sysconfig/mimedefang # Restarted mimedefang: service mimedefang restart This might be useful for other RHEL/CentOS/Scientific/Oracle Linux users. Thank you, Dianne, for your help. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 16:06, Kevin A. McGrail wrote: Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm]. I think this resolution is unsustainable - this technique might get popular fast if this proves to foul filters. (...) MD is open-source and the enemy is the bastard spammers/malware authors. Don't attack people trying to help, donating their time and giving you possible solutions. Instead you might consider thanking them, providing feedback or even taking a swipe at the code and post a patch. I'm very sorry if I've written something rude - I didn't mean to. English isn't my primary language - I might have failed to convey a tone of my statement. I just wanted to report this to mailing list because I was afraid that other users could have their network compromised if they used similar setup. Thanks to Dianne's test on her systems I was able to find the cause, which was outdated perl module. I've shared my solution in a follow-up email. I really think MIMEdefang is an awesome, very powerful software. It's protecting my non-profit foundation for more than 10 years. Thank you. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Re: Missed executable attachments with empty Content-Type
On 2015-04-28 15:13, Dianne Skoll wrote: I've just received a trojan/exploit attachment with CHM extension, which should be filtered by MIMEdefang but wasn't. Well, it surely depends on your filter? My filter is depending on "re_match" function provided by MIMEdefang. Also suggested-minimum-filter-for-windows-clients is using it. Mimedefang-filter man page says: re_match returns true if any of the fields [Content-Disposition.filename, Content-Type.name and Content-Description] matches the regexp without regard to case. In my example Content-Type should match, but it doesn't because it is probably deliberately broken enough to avoid detection by security products. But not enough to not work in Email clients. Anyway, I made a SpamAssassin rule to block these [SecureMessage.chm]. I think this resolution is unsustainable - this technique might get popular fast if this proves to foul filters. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Missed executable attachments with empty Content-Type
I've just received a trojan/exploit attachment with CHM extension, which should be filtered by MIMEdefang but wasn't. This attachment was send in a MIME part with broken header: Content-Type: ; name="SecureMessage.chm" Content-Transfer-Encoding: base64 Content-Disposition: attachment; name="SecureMessage.chm" Please notice empty "Content-Type" in above header. Because of empty content type my mail client (Thunderbird) displayed it as garbage, but also defaulted to to save it as a file with original name "SecureMessage.chm". Opening it would compromise a system, as it isn't recognized as a virus by most antivirus programs yet: https://www.virustotal.com/en/file/467f6d76802014ab671fa868b9b81b79497889f906c434620742e391aee17670/analysis/ I've retested it changing extension to EXE and it was also allowed. I'm attaching the whole message (beware, contains virus) in 7z archive with password "infected". Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh NatWest Secure Message.7z Description: application/7z-compressed ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] detect failed auth
On 2014-09-10 16:29, David F. Skoll wrote: Sep 10 10:28:04 vanadium sm-mta[2670]: s8AEQtDU002670: d...@hydrogen.roaringpenguin.com [192.168.10.1] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA-v6 I've recently configured fail2ban on my CentOS5 server with blocking based solely on this line: Oct 9 10:17:38 batyskaf sendmail[16834]: s998Gc97016834: cpe-173-88-252-250.neo.res.rr.com [173.88.252.250] did not issue MAIL/EXPN/VRFY/ETRN during connection to MTA Installed fail2ban from EPEL. Created /etc/fail2ban/filter.d/smtp.conf: # Fail2Ban filter for sendmail authentication failures # [INCLUDES] before = common.conf [Definition] _daemon = sendmail failregex = ^ ?%(__prefix_line)s\w{14}: (\S+ )?\[\]( \(may be forged\))? did not issue MAIL/EXPN/VRFY/ETRN during connection to (TLS)?MTA$ ignoreregex = And created /etc/fail2ban/jail.local: [DEFAULT] ignoreip = 127.0.0.0/8 192.168.0.0/16 usedns = no [ssh-iptables] enabled = false [smtp] enabled = true filter = smtp action = iptables-multiport[name=sendmail-auth, port="submission,465,smtp", protocol=tcp, blocktype=DROP] logpath = /var/log/maillog Then simply run: # chkconfig fail2ban on # service fail2ban start And bruteforce attacks slowed considerably. I think this would work also for CentOS/RHEL6 with no modifications. I assumed that no legitimate client would connect with not issuing MAIL/EXPN/VRFY/ETRN. Definitely not more than two times in 5 minutes to trigger a ban. There could be problem if some user would try to login with bad password more than twice in 5 minutes - he would not be able to send mail for an hour. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.72-BETA-2 is available
On 2011-06-20 19:35, David F. Skoll wrote: I've released MIMEDefang 2.72-BETA-2 I've a configure.in bug to report, which was also present in older versions. In pure 64 bit Linux environment libmilter.a is in /usr/lib64/ directory, but configure only searches for /usr/lib/, so it fails with the following message if 32bit libraries are not installed: configure: WARNING: Oops.. I couldn't find libmilter.a or libmilter.so. Please install Sendmail configure: WARNING: and its libraries. You must run Build in the libmilter/ directory configure: WARNING: to compile libmilter. I'm attaching a proposed patch, which isn't perfect but I think should be good enough. I think a proper fix would be to use AC_SEARCH_LIBS instead of AC_CHECK_PROG, but I can not test it for portability. Also "unstripped" Makefile target disappeared. This target was useful for example for rpm packagers, as it allowed for automatic building of "debuginfo" packages, which contain debugging symbols for programs and aren't installed by default but only as needed. This change isn't mentioned in the Changelog. For other packagers: I was able to work around this by adding INSTALL_STRIP_FLAG="" to "make install". Please also mention in the Changelog changing a name of Makefile variable RPM_INSTALL_ROOT to DESTDIR, as it is also used by packagers. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh diff -urNP mimedefang-2.68.orig/configure.in mimedefang-2.68/configure.in --- mimedefang-2.68.orig/configure.in 2010-02-22 16:50:09.0 +0100 +++ mimedefang-2.68/configure.in2010-03-02 21:16:17.413499226 +0100 @@ -663,12 +663,12 @@ SMPATH=`echo ../sendmail-*/obj.*/libmilter` old_as_test_x="$as_test_x" as_test_x='test -e' -AC_PATH_PROG(LIBMILTER, libmilter.a, no, $MILTERLIB:$SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBMILTER, libmilter.a, no, $MILTERLIB:$SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) SMPATH=`echo ../sendmail-*/obj.*/libsm` -AC_PATH_PROG(LIBSM, libsm.a, no, $SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBSM, libsm.a, no, $SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) dnl find libmilter.so in case we have shared libraries -AC_PATH_PROG(LIBMILTERSO, libmilter.so, no, $MILTERLIB:$SMPATH:/usr/local/lib:/lib:/usr/lib:/usr/lib/libmilter) +AC_PATH_PROG(LIBMILTERSO, libmilter.so, no, $MILTERLIB:$SMPATH:/usr/local/lib:/usr/local/lib64:/lib:/lib64:/usr/lib:/usr/lib64:/usr/lib/libmilter) as_test_x="$old_as_test_x" dnl find Sendmail ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Fri, 24 Nov 2006, Kees Theunissen wrote: > >There is a small problem with this approach - Bayes database do not > >learn phrases and words used in e-mail sent by your own users. > > Is that a problem if you don't scan these messages anyway? You scan replies. And your friends / customers do use phrases that you do. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Skipping SA on TLSMTA connections?
On Wed, 22 Nov 2006, Philip Prindeville wrote: > if ( > $Features{"SpamAssassin"} > && $SendmailMacros{'daemon_name'} ne 'TLSMTA' > ) I use: if ( $Features{"SpamAssassin"} && (!defined($SendmailMacros{'auth_type'})) && ($RelayAddr ne "127.0.0.1") ) This 'auth_type' check was suggested on this list some time ago. This is more portable than 'deamon_name' check. And if a message is already on my server I assume it is not spam. There is a small problem with this approach - Bayes database do not learn phrases and words used in e-mail sent by your own users. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] SPF
On Sun, 05 Nov 2006, David F. Skoll wrote: > SPF breaks forwarding, which is very annoying. It does not if it is set to use forwarded address in envelope. I'm doing forwarding in procmail. This is a fragment of my script: # VACATION_PRIMARY_ADDRESS="[EMAIL PROTECTED]" VACATION_PRIMARY_ADDRESS_REGEX=`echo "$VACATION_PRIMARY_ADDRESS" | sed -e 's:[\.\+]:&:g'` VACATION_FORWARD="[EMAIL PROTECTED]" :0 c * ! ^FROM_DAEMON * $ ! ^X-Loop: $VACATION_PRIMARY_ADDRESS_REGEX | formail -A "X-Loop: $VACATION_PRIMARY_ADDRESS" -i "Return-Path:" | \ $SENDMAIL "-f<$VACATION_PRIMARY_ADDRESS>" -oi "$VACATION_FORWARD" # This way the sender will not get a bounce with unknown address if forward destination is broken. > > For folks on the road, there are plenty of workable solutions. > > We use OpenVPN, which works well if both ends are running Linux. > Because of deficiencies in Windoze's "TUN" implementation, it's a bit > more painful to get it working on that platform, but we managed it. It is much easier to use submission port + starttls or smtps. Both do not use smtp port which is often blocked. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIMEdefang RPM in Fedora Extras repository
RPM version of MIMEdefang mimedefang-2.57-4.fc5.*.rpm showed in Fedora Extras 5 repository. This means that it will be automatically updated by nightly yum update if mimedefang was installed from RPM. This version does not have any antivirus functionality compiled in. So this may make your system less secure. If you use any antivirus and mimedefang rpm you'd better disable it's automatic updates by adding: exclude=mimedefang to your "/etc/yum.conf". Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] mimedefang in endless loop (socketpair)
On Tue, 23 May 2006, Paul Murphy wrote: > > May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: > > from=<>, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, > > relay=smtp11.wanadoo.fr [193.252.22.31] > > May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: > > <[EMAIL PROTECTED]>... User unknown > > Looks like normal activity - someone sending via the Wanadoo server in France > is attempting to send you lots of mail for an unknown user, and your system > is correctly processing them and returning the user unknown error. I know. But this should not cause a MIMEdefang process to hang using all cpu power it can have for a day (until I've killed it). Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://rainbow.mimuw.edu.pl/~tometzky/humor/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mimedefang in endless loop (socketpair)
I've got two mimedefang 2.56 processes hanged in endless loop (in running state). I'll have to kill this processes but I want to send you information I'm able to gather about them in case it can be useful for finding a bug. A command "strace -p [PID]" of processes shows endless stream of socketpair(PF_??? (0x4001c14c), SOCK_??? (0), , 3175087548, [1, 1]) = 0 lines. "lsof -p [PID]" of one of them shows 21 open "/var/spool/MIMEDefang/mimedefang.sock" files and also open /var/spool/MIMEDefang/mdefang-k4MDkN1J014281/HEADERS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkN1J014281/COMMANDS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNAw014242/HEADERS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNAw014242/COMMANDS (deleted) /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/HEADERS /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/COMMANDS /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/HEADERS is empty and /var/spool/MIMEDefang/mdefang-k4MDkNfs014278/COMMANDS looks like this S<> sSIZE=3019 =_ smtp11.wanadoo.fr%20[193.252.22.31] =daemon_name MTA =i k4MDkNfs014278 =if_addr 62.89.72.200 =if_name statek.batory.org.pl =j statek.batory.org.pl =mail_addr =mail_host =mail_mailer local Qk4MDkNfs014278 Hsmtp11.wanadoo.fr I193.252.22.31 Esmtp11.wanadoo.fr R<[EMAIL PROTECTED]> local ? l Corresponding /var/log/maillog entries look like this: May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: from=<>, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:24 statek sendmail[14281]: k4MDkN1J014281: <[EMAIL PROTECTED]>... User unknown May 22 15:46:31 statek sendmail[14242]: k4MDkNAw014242: from=<>, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:31 statek sendmail[14242]: k4MDkNAw014242: <[EMAIL PROTECTED]>... User unknown May 22 15:46:23 statek sendmail[14278]: k4MDkNfs014278: from=<>, size=3019, class=0, nrcpts=0, proto=ESMTP, daemon=MTA, relay=smtp11.wanadoo.fr [193.252.22.31] May 22 15:46:23 statek sendmail[14278]: k4MDkNfs014278: <[EMAIL PROTECTED]>... User unknown My filter (it is customized and hacked filter based on suggested-minimum-filter-for-windows-clients 1.87): http://ludzie.batory.org.pl/~tometzky/mimedefang/mimedefang-filter It does not use SpamAssassin. perl-5.8.3 sendmail-8.13.6 This is on an ancient linux-2.2.27-rc2 on libc-5 so it can just be a system fault - I'm slowly migrating this to a newer system but this is a big pain because of lots of libc-5 / python-1.4, no-source-available custom software. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] New to MIMEDEFANG
On Wed, 29 Mar 2006, Richard Laager wrote: > On Wed, 2006-03-29 at 10:19 +0530, R.Linga Reddy wrote: > > I am new to MIMEDEFANG, I am planing to install on FEDORA CORE 3 or > > CORE 4, will it support, and is there any problem, > > It'll work fine. I run it on Fedora Core 4. It will work but I do not recommend FC3 because it has too old perl and you'll need to do some magic. Also Fedora 4 does have all required perl modules either in core or in extras. Also FC3 is not maintained anymore (other than security patches) so just use FC4 or FC5. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Writing to an MBOX file
On Tue, 21 Mar 2006, Damrose, Mark wrote: > > I think the From line needs a little bit more info. I ran > > into problems with a Mailman archive when I fed it to > > Dovecot, my IMAP server, because it didn't like the > > abbreviated From line. It thought the whole file was one big > > message. Looking at one of my mbox files, it appears that a > > datestamp is needed on the end of the line. > > If you're going to write it yourself, you also need to worry > about From_ quoting. > > See http://www.qmail.org/man/man5/mbox.html > and http://homepages.tesco.net./~J.deBoynePollard/FGA/mail-mbox-formats.html Or just pipe INPUTMSG to "procmail -d defang". And you'd not need to worry about locking, "From " lines, "^From" quoting etc. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://rainbow.mimuw.edu.pl/~tometzky/humor/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Fri, 03 Mar 2006, Tomasz Ostrowski wrote: > I'm going to send a feature request to > <[EMAIL PROTECTED]>. - Forwarded message ----- From: Tomasz Ostrowski <[EMAIL PROTECTED]> Subject: RFE: Tempfail "data" when at least one "rcpt to" tempfailed and none accepted To: [EMAIL PROTECTED] Date: Fri, 3 Mar 2006 10:51:52 +0100 I'd like to ask for considering my proposal - that "data" requests would be temporarily rejected (4xx) instead of permanently rejected, when at least one "rcpt to" request was temporarily rejected and no "rcpt to" request was accepted. The developer or MIMEdefang milter (http://www.mimedefang.org/), "David F. Skoll" roaringpenguin.com> said on its mailing list that it has implemented greylisting in a way that tempfails after "data", not after "rcpt to" command. The reasoning was: | Now, there *are* some marginal SMTP servers that fail in the | following scenario: | | C: HELO myname.domain.com | S: 250 whatever | C: MAIL FROM:<[EMAIL PROTECTED]> | S: 250 2.1.0 go ahead | C: RCPT TO:<[EMAIL PROTECTED]> | S: 451 4.7.1 greylisting; try in 2 minutes | C: DATA | S: 503 5.0.0 need RCPT! | | (and client bounces message) | | Notice that? Some marginal clients attempt a DATA even if all | RCPTs are 4xx'd. Our solution is to greylist after the DATA phase | (that is, at the ".") While this wastes bandwidth, it does keep | those marginal SMTP implementations from failing. I said that: | This could be avoided if sendmail would tempfail "data" requests if | any "rcpt to" request tempfailed and every "rcpt to" request | tempfailed or permfailed. David did not like this, because: 1. Sendmail has a right to reject after data phase, because RFC states, that at least one recipient must be accepted when a client sends "data". I agree, but it also has a right to tempfail. 2. Sendmail can assume that if a client has broken implementation which caused this failure, then every subsequent attempts will also fail, so there's no reason to tempfail. I do not agree - if there's temporary failure then it should be assumed that the conditions can change and next time there'll be no reason to tempfail. If commands are "repeated identically" then they can be successful, hence proposed 4xx response. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh - End forwarded message - ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Wed, 01 Mar 2006, David F. Skoll wrote: > Sendmail has every reason to assume that if an SMTP client has a > broken implementation of the state machine on one message attempt, > it probably will break on every attempt, so why tempfail? This assumption would be wrong. This could be true if there were not temporary failure on "rcpt" before - then every other attempt would indeed be the same so there's no reason to bother with 4xx. But if there's temporary failure then it should be assumed that the conditions can change and next time there'll be no reason to tempfail. RFC2821: A rule of thumb to determine whether a reply fits into the 4yz or the 5yz category (see below) is that replies are 4yz if they can be successful if repeated without any change in command form or in properties of the sender or receiver (that is, the command is repeated identically and the receiver does not put up a new implementation.) In this case if commands are "repeated identically" then they can be successful, hence proposed 4xx response. I'm going to send a feature request to <[EMAIL PROTECTED]>. > True; if bandwidth is a scarce resource, this could be an issue. It > isn't for us, and I suspect it isn't for most people -- I doubt > e-mail uses the majority of bandwidth at most organizations. You're right. Although e-mail is often misused for file transfer - "ooh, a cool mpeg, let's e-mail it to all my friends". Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Wed, 01 Mar 2006, David F. Skoll wrote: > > This could be avoided if sendmail would tempfail "data" requests if > > any "rcpt to" request tempfailed and every "rcpt to" request tempfailed > > or permfailed. > > But the RFC says that an SMTP client MUST NOT issue a DATA command unless > at least one RCPT succeeded, so Sendmail is within its rights to issue > a 5xx failure code. Of course. But it is also within its rights to issue 4xx. And if it makes it more reliable then why not? This would not encourage the developers of broken servers to fix them or administrators to migrate. But it could be better than tempfailing after "data" because tempfailing "rcpt to" sometimes does not work - it will not waste bandwidth. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Re: Justifying greylisting to management
On Sun, 26 Feb 2006, David F. Skoll wrote: > Now, there *are* some marginal SMTP servers that fail in the > following scenario: > > C: HELO myname.domain.com > S: 250 whatever > C: MAIL FROM:<[EMAIL PROTECTED]> > S: 250 2.1.0 go ahead > C: RCPT TO:<[EMAIL PROTECTED]> > S: 451 4.7.1 greylisting; try in 2 minutes > C: DATA > S: 503 5.0.0 need RCPT! > (and client bounces message) This could be avoided if sendmail would tempfail "data" requests if any "rcpt to" request tempfailed and every "rcpt to" request tempfailed or permfailed. Maybe a small patch for sendmail would do it. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.55-BETA-2 is available
On Mon, 16 Jan 2006, [EMAIL PROTECTED] wrote: > > > *** NOTE INCOMPATIBILITY *** filter_begin NOW TAKES ONE ARGUMENT, > > >NOT ZERO. IF YOUR FILTER HAS A > > >PROTOTYPE FOR filter_begin, YOU SHOULD > > >FIX OR REMOVE THE PROTOTYPE > > > > There'd be nice to have an example here. Not knowing perl very > > much I would not understand "Fix or remove the prototype" without > > an example from your previous post on this. > > That means that in mimedefang-filter you have a sub function that > looks like this: "sub filter_begin()" then you should change that > to "sub filter_begin($)" or "sub filter_begin" I already know what this means. But it is only because I did read previous David's message. I'm just saying that this "INCOMPATIBILITY" note should be more verbose and give an example for those, who do not know perl very well and will not understand this. I'm not very good in english so I'm sorry if I said something wrong and I was not understandable. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEDefang 2.55-BETA-2 is available
On Wed, 11 Jan 2006, David F. Skoll wrote: > *** NOTE INCOMPATIBILITY *** filter_begin NOW TAKES ONE ARGUMENT, >NOT ZERO. IF YOUR FILTER HAS A >PROTOTYPE FOR filter_begin, YOU SHOULD >FIX OR REMOVE THE PROTOTYPE There'd be nice to have an example here. Not knowing perl very much I would not understand "Fix or remove the prototype" without an example from your previous post on this. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Thu, 10 Nov 2005, David F. Skoll wrote: > - There is no way to see a lone LF from milter. Seems that it's no problem, because this should be a case also for local mailer on unices. At least procmail saves files with bare . Does anybody use sendmail on MacOSX (unix to be or not unix to be) or Windows to check it there? > - There IS a way to see a lone CR. So I'd propose something like: /* after message_contains_virus() */ if ($SuspiciousCharsInBody) { action_rebuild(); } But then we should recheck rebuilt message for viruses - in case the virus program has problems with bare . I don't know how to do this (message_contains_virus() on modified message). Of course we don't need to recheck attachments of this message (we build it so we're sure there won't be anything unexpected) - only the message as a whole. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Bare returns in message body
On Wed, 09 Nov 2005, Jan Pieter Cornet wrote: > However, you're ALSO removing lone CRs in the process, CR characters > that a MUA will see, and might react upon (it might even trigger > a bug in the MUA... a bug which is scanned for in some virus scanner, > but that fails to detect it because the CR characters aren't there. > This is speculation, however). I remember a post to bugtraq that dealt with this as a security problem - I cannot google it though right now. There is a client software that treated bare and bare like but an antivirus gateway did not and haven't found an included virus. In that post there were 2 possible solutions: 1. reject bare and bare on the wire - not acceptable because of crappy SMTP software; 2. modify a message at gateway converting all bare 's and bare 's to , so we're sure that every software will treat this in the same way - this violates RFC (modifies a message at gateway) but it's not a problem with a message that already violates RFC. It would be nice for mimedefang to follow this second approach - every message violating should be converted before checking attachment names, using virus scanners or spamassassin and should be returned to sendmail also converted. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] MIMEdefang on CPAN? or in RPM form?
On Tue, 28 Dec 2004, Les Mikesell wrote: > On Sat, 2004-12-25 at 18:47, Gary Funck wrote: > > > I'm about ready to install MIMEdefang, and was wondering if MIMEdefang is > > available on CPAN, or available in RPM form? > > Dag Wieers has it packaged for redhat/fedora (along with about every > other program known to man...). > http://dag.wieers.com/packages/mimedefang/ But his packages are seriously outdated and recent versions of MimeDefang had some security related issues corrected. I've annouced here before my set of updated RPMs, based mostly on Dag's: http://prhn.dnsalias.org/~tometzky/mimedefang/perl-Convert-BinHex-1.119-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-Base64-3.05-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-IO-stringy-2.109-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MailTools-1.65-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-tools-5.415-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/mimedefang-2.49-1t.src.rpm Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Fedora 2 upgrade issues
On Tue, 14 Dec 2004, Kenneth Porter wrote: > I figured I'd take a crack at updating to the latest MD, and started by > trying to update MIME-tools. I immediately run into the problem that it > wants a new MIME::QuotedPrint but Red Hat, in their infinite wisdom (rolls > eyes) have decided to bundle this package in the main Perl package. I've made RPM packages of needed modules for my Fedora Core 3 system: http://prhn.dnsalias.org/~tometzky/mimedefang/perl-Convert-BinHex-1.119-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-Base64-3.05-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-IO-stringy-2.109-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MailTools-1.65-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/perl-MIME-tools-5.415-1t.src.rpm http://prhn.dnsalias.org/~tometzky/mimedefang/mimedefang-2.49-1t.src.rpm They should work on Fedora 1-3 or any Fedora-like RPM-based system. They are mostly based on outdated Dag Wieers packages (http://dag.wieers.com/packages/). Please compile (rpmbuild --rebuild) and install in above order. Pozdrawiam Tometzky -- Best of prhn - najzabawniejsze teksty polskiego UseNet-u http://prhn.dnsalias.org/ Chaos zawsze pokonuje porządek, gdyż jest lepiej zorganizowany. [ Terry Pratchett ] ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] mimedefang.c:1721: structure has no member named `sin_addr'
I've an old, Libc-5 based, Linux system with mimedefang. When I tried to compile mimedefang-2.49 I got the following message: mimedefang.c: In function `main': mimedefang.c:1721: structure has no member named `sin_addr' make: *** [mimedefang.o] Error 1 It looks like the code used when a system does not have inet_ntop() is broken. At least when I changed it, like you can see in attached patch, it compiled and looks like it works. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh diff -urP mimedefang-2.49.orig/mimedefang.c mimedefang-2.49/mimedefang.c --- mimedefang-2.49.orig/mimedefang.c Wed Nov 24 21:59:17 2004 +++ mimedefang-2.49/mimedefang.cMon Nov 29 18:57:24 2004 @@ -1718,7 +1718,7 @@ } #else { - char *s = inet_ntoa(in.sin_addr); + char *s = inet_ntoa(in); if (s && *s) MyIPAddress = strdup_with_log(s); } #endif ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] JPEG exploit checking in mimedefang-filter
I have written a quick and dirty checking for corrupt jpeg files in mimedefang-filter. It uses program "djpeg", which should be in most Linux and Unices distributions, to convert the file to bitmap writing in /dev/null. It lets the file in, if it manages to successfully convert it, or rejects it otherwise. It should catch the latest JPEG virus. At least it catches the sample I have found here: http://www.easynews.com/virus.html ### # New function: check for corrupted JPEG files sub filter_corrupt_jpeg ($) { my($entity) = @_; if (re_match($entity, '\.jp(e?)g$') ) { my $bh = $entity->bodyhandle(); if (defined($bh)) { my $path = $bh->path(); if (defined($path)) { my($code, $category, $action) = run_virus_scanner( "djpeg -fast -dither none -grayscale -scale 1/8 -outfile /dev/null $path" ); if ($action ne 'proceed') { return $code; } if ($code) { return $code; } } } } return 0; } ### ### # This should go in filter() function if (filter_corrupt_jpeg($entity)) { md_graphdefang_log('corrupt_jpeg', $fname, $type); action_bounce("Access denied. Corrupt file $fname not allowed.", "554", "5.7.1"); return action_discard(); } ### Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] MIME-Base64-3.03 and Fedora Core, possibly other Linux distributions
>From mimedefang-2.45 README: | 4. MIME-BASE64 NOTE | --- | | Version 5.113 or higher of MIME::Tools requires MIME::Base64 version | 3.03 or higher. Many Linux distributions include an old version | of MIME::Base64 in the core Perl distribution. In order to | install a new version of MIME::Base64 without upsetting your Linux | updating tools (like up2date or the equivalent), you should download | MIME::Base64 3.03 or newer and build as follows: | | tar xvfz MIME-Base64-VERSION.tar.gz | cd MIME-Base64-VERSION | perl Makefile.PL INSTALLDIRS=site | make | make install This does not work - core Perl MIME-Base64 is used anyway because Fedora Core and, I suppose, other linux distributions have "site-perl" directories after core Perl directories in @INC: | $perl -e 'use foo;' | Can't locate foo.pm in @INC (@INC contains: | /usr/lib/perl5/5.8.3/i386-linux-thread-multi ^^ this is where core MIME::Base64 is | /usr/lib/perl5/5.8.3 | /usr/lib/perl5/site_perl/5.8.3/i386-linux-thread-multi ^^ this is where MIME::Base64 3.05 will be installed | /usr/lib/perl5/site_perl/5.8.2/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.1/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi | /usr/lib/perl5/site_perl/5.8.3 /usr/lib/perl5/site_perl/5.8.2 | /usr/lib/perl5/site_perl/5.8.1 /usr/lib/perl5/site_perl/5.8.0 | /usr/lib/perl5/site_perl | /usr/lib/perl5/vendor_perl/5.8.3/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.2/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.1/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi | /usr/lib/perl5/vendor_perl/5.8.3 /usr/lib/perl5/vendor_perl/5.8.2 | /usr/lib/perl5/vendor_perl/5.8.1 /usr/lib/perl5/vendor_perl/5.8.0 | /usr/lib/perl5/vendor_perl .) at -e line 1. | BEGIN failed--compilation aborted at -e line 1. It's impossible to install MIME::Base64 3.05 without breaking Perl package and it is impossible to creating MIME::Base64 package. The only way to do it right is creating new Perl package with bundled MIME::Base64 3.05. I'd suggest, if it is possible, to rewrite MIME::tools that it will not depend on MIME::Base64 3.05 until major linux distributions include it. I know that MIME::tools maintainer is also from RoaringPenguin. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Blocking RAR viruses
I've modified mimedefang-filter.example so it blocks RAR files with executables. It uses freeware "unrar" program, which source and binaries can be downloaded from RARLAB: http://www.rarlab.com/rar_add.htm Patch follows. It blocks Beagle worm password protected RAR files. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh --- mimedefang-filter.example Tue Mar 16 10:53:37 2004 +++ mimedefang-filter Fri Mar 19 14:14:40 2004 @@ -116,6 +116,25 @@ } } } + +# Look inside RAR files +if (re_match($entity, '\.r(ar|[0-2][0-9])$') ) { + my $bh = $entity->bodyhandle(); + if (defined($bh)) { + my $path = $bh->path(); + if (defined($path)) { + my($code, $category, $action) = + run_virus_scanner( "unrar lb $path" ); + if ($action ne 'proceed') { + return $code; + } + if ($code) { + return $code; + } + return 1 if $VirusScannerMessages =~ /$re/i; + } + } +} return 0; } ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, David F. Skoll wrote: > On Wed, 24 Mar 2004, Tomasz Ostrowski wrote: > > > I'd advocate so action_notify_sender is removed as well - because > > over 99% virus e-mail come with forged return address. > > There's an interlock that disables action_notify_sender if a virus > is detected. Check the mimedefang.pl source. :-) Nice :-) Unfortunately for this to work there has to be good antivirus program on the server. And silent discard violates SMTP RFC... Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Notify recipient?
On Wed, 24 Mar 2004, Jobst Schmalenbach wrote: > I want to notify the recipient (if the recipient is in OUR domain) > that I killed a message for a reason. $ grep 'Milter: data, reject' /var/log/maillog | wc -l 3457 $ head -1 /var/log/maillog | cut -d " " -f 1-3 Mar 21 00:09:26 Over 1000 virus messages blocked every day. For only about 150 users. Are you really sure you want to annoy your users with these notifications? I'd advocate so action_notify_sender is removed as well - because over 99% virus e-mail come with forged return address. Only action_bounce should be possible - and it could be used only if all MX hosts for domain use mimedefang. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Blocking ZIP viruses
I've modified mimedefang-filter so it blocks ZIP files with executables. I't ugly as hell (I do not know perl - it's copy-paste programming) but it works. It uses zipinfo command to extract filenames. Have a look at the diff below. It blocks all recent Mydoom mails. Regards Tometzky -- ...although Eating Honey was a very good thing to do, there was a moment just before you began to eat it which was better than when you were... Winnie the Pooh --- mimedefang-filter.orig Tue Jan 27 16:45:56 2004 +++ mimedefang-filter Tue Jan 27 16:49:42 2004 @@ -148,6 +148,46 @@ return (wantarray ? (0, 'ok', 'ok') : 0); } +sub zip_filter_bad_filename ($) { +my($entity) = @_; +unless ( re_match($entity, '\.' . 'zip' . '\.*([^-A-Za-z0-9_.,]|$)') ) { +return 0; +} + +my($body) = $entity->bodyhandle; +if (!defined($body)) { +return 0; +} + +# Get filename +my($path) = $body->path; +if (!defined($path)) { +return 1; +} + +# Run zipinfo +my($code, $category, $action) = +run_virus_scanner( "zipinfo $path" ); +if ($action ne 'proceed') { +return $code; +} +if ($code) { +return $code; +} + +# Bad extensions +$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]+\})'; + +# Do not allow: +# - CLSIDs {foobarbaz} +# - bad extensions (possibly with trailing dots) at end or +# followed by non-alphanum +$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)'; +return 1 if $VirusScannerMessages =~ /$re/i; + +return 0; +} + #*** # %PROCEDURE: filter_begin # %ARGUMENTS: @@ -243,6 +283,12 @@ if (filter_bad_filename($entity)) { md_graphdefang_log('bad_filename', $fname, $type); return action_quarantine($entity, "An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n"); +} + +if (zip_filter_bad_filename($entity)) { +md_graphdefang_log('bad_filename', $fname, $type); +action_bounce("Access denied. Archive $fname with not allowed file(s).", "554", "5.7.1"); +return action_discard(); } # eml is bad if it's not multipart ___ Visit http://www.mimedefang.org and http://www.canit.ca MIMEDefang mailing list [EMAIL PROTECTED] http://lists.roaringpenguin.com/mailman/listinfo/mimedefang