[Mimedefang] Variable Initialization for mimedefang-filter
Albert E. Whale
aewhale at ABS-CompTech.com
Wed Apr 10 12:11:17 EDT 2002
Here's My Filter File. Hope that makes more sense.
"David F. Skoll" wrote:
> On Tue, 9 Apr 2002, Albert E. Whale wrote:
>
> > Apr 9 22:29:14 access mimedefang-multiplexor: Slave 6 stderr: Use of
> > uninitialized value in concatenation (.) or string at
> > /etc/mail/mimedefang-filter line 156.
>
> > . "\tFrom:\t$FromAddress\n"
>
> Who is setting $FromAddress? MIMEDefang doesn't. Same with $VirusName.
>
> Regards,
>
> David.
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
--
Albert E. Whale - CISSP
http://www.abs-comptech.com
----------------------------------------------------------------------
ABS Computer Technology, Inc. - ESM, Computer & Networking Specialists
Sr. Security, Network, and Systems Consultant
-------------- next part --------------
# -*- Perl -*-
#***********************************************************************
#
# high-risk-filter
#
# Sample implementation of "filter" function for MIMEDefang.
# Your filter *must* be correct Perl code, *must* return "1" when
# sourced; and *must* be placed in /etc/mail/mimedefang-filter.
#
# This filter is "high risk" because it allows most attachments through,
# with only defanging to protect the innocent.
#
# Copyright (C) 2000 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: high-risk-filter,v 1.14 2001/08/02 14:52:33 dfs Exp $
#***********************************************************************
#***********************************************************************
# Set administrator's name here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$Administrator = 'postmaster at abs-comptech.com';
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at abs-comptech.com';
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle nested multipart
# messages
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts (*cough* Exchange *cough* Outlook)
$Stupidity{"NoMultipleInlines"} = 0;
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin {
# If you have a recognized anti-virus scanner, use this
$VirusFound = message_contains_virus();
# Example: Only allow mailing to "all at abs-comptech.com" from our mail server
$OurMailServer = 216.254.72.208;
if ($RelayAddr ne $OurMailServer) {
foreach $recip (@Recipients) {
if ($recip eq 'all at abs-comptech.com') {
action_bounce('Outsiders may not mail to all at abs-comptech.com');
last;
}
}
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# It decides the fate of the part by calling one of:
#
# action_accept() -- Accept the attachment as-is.
#
# acction_accept_with_warning($msg) -- Accept the attachment, but add
# a warning message "$msg".
#
# action_drop() -- Silently drop the attachment. NOT
# RECOMMENDED.
#
# action_drop_with_warning($msg) -- Add a warning message "$msg" and
# drop the attachment.
#
# action_defang($entity, $name, $fname, $type) -- Allow the attachment
# through, but change the name to "$name", filename to "$fname" and MIME
# type to "$type". If "$name" or "$fname" are set to "", they are
# generated. Use this to "de-fang" dangerous attachements so the data
# gets through, but is not susceptible to simple social engineering
# attacks.
#
# action_external_filter($entity, $cmd) -- Run an external filter "$cmd".
# This program must read from the file "./FILTERINPUT" and leave
# the result in "./FILTEROUTPUT".
#
# action_quarantine($entity, $msg) -- Similar to action_drop_with_warning.
# However, it copies the attachment to a file in /var/spool/MIMEDefang
# and e-mails the details of the attachment and the name of the
# quarantined file to the MIMEDefang administrator.
#
# action_bounce($reply) -- Bounce the entire message with one-line reply
# $reply. This means that the sender gets an error and the intended
# recipients never see the mail. You can profitably use
# action_quarantine before a call to action_bounce.
#
# action_discard() -- Silently discard the entire message. This means
# that the intended recipients never see the mail and the sender
# *does not* get an error message back. You can profitably use
# action_quarantine before a call to action_discard.
#***********************************************************************
sub filter {
my($entity, $fname, $ext, $type) = @_;
# For convenience, compute lower-case versions of filename and extension
my($lc_fname) = $fname;
my($lc_ext) = $ext;
$lc_fname =~ tr/A-Z/a-z/;
$lc_ext =~ tr/A-Z/a-z/;
####################################################################
# #
# Filter rules follow #
# #
####################################################################
#-------------------------------------------------------------------
# Quarantine viruses
#-------------------------------------------------------------------
if ($VirusFound && entity_contains_virus($entity)) {
my($VirusName)=$VirusScannerMessages;
$VirusName =~ s/.*?!Virus! (.*?) (.*?) .*/Virus called $2/s;
my($dumpme);
# my($infectedmsg)="This was message was found to be carrying an attachment \n"
$infectedmsg="This was message was found to be carrying an attachment \n"
. "that contained a known virus. The attachment has been replaced.\n"
. "The following information may be helpful to determine its source:\n"
. "\tSender:\t\t$Sender\n"
. "\tFrom:\t$FromAddress\n"
. "\tVirus:\t\t$VirusName\n"
. "\tAttachment:\t$fname\n"
. "\tMime-Encoding:\t$type\n"
. "\nThe original sender may NOT have been notified\n(it may not be a valid email address).\n";
# $FromAddress above here is obtained from the HEADERS file
# my($replacemsg)="A virus was detected by our Anti-Virus Scanner in the Original Attachment.\n"
$replacemsg="A virus was detected by our Anti-Virus Scanner in the Original Attachment.\n"
. "\tMime-Encoding:\t$type\n"
. "\tFilename:\t$fname\n"
. "\tVirus Name:\t$VirusName\n";
# some sanity checks here that set $dumpme if it needs to be discarded
$infectedmsg=$infectedmsg."******** THIS MESSAGE HAS BEEN DISCARDED ********\n\n" if $dumpme;
action_quarantine($entity, $infectedmsg);
return action_drop() if $dumpme;
if ($Sender ne '<>' ) {
return action_notify_sender($replacemsg);
}
return action_replace_with_warning($replacemsg);
}
# #-------------------------------------------------------------------
# # Quarantine: .exe .com .bat .vbs .shs .dll .vxd
# # .pif .scr .reg .ocx .lnk .js
# #-------------------------------------------------------------------
#
# if (re_match_ext($entity, '^\.(exe|com|bat|vbs|scr|shs|dll|vxd|pif|reg|ocx|lnk|js)$')){
# return action_quarantine($entity, "An attachment named $fname was removed from this document as it\n"
# . "constituted a security hazard. If you require this document, please contact\n"
# . "the sender and arrange an alternate means of receiving it.\n");
# }
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
# DO NOT delete the next line, or Perl will complain.
1;
More information about the MIMEDefang
mailing list