[Mimedefang] Patch for MIME::Tools

Marco Berizzi pupilla at hotmail.com
Wed Apr 24 08:08:22 EDT 2002 

> Is it possible you're blocking audio/x-wav?
No.
Wait...I'm searching my filter....done.
Here is:

# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Sample implementation of "filter" function for MIMEDefang.
# Your filter *must* be correct Perl code, *must* return "1" when
# sourced; and *must* be placed in /etc/mail/mimedefang-filter.
#
# This filter is "low risk" because it is very restrictive about what
# it allows through.  Note that it DOES allow HTML attachments through,
# which may be a problem for your e-mail client.
#
# Copyright (C) 2000 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: low-risk-filter,v 1.17 2002/02/08 13:51:53 dfs Exp $
#***********************************************************************

#***********************************************************************
# Set administrator's name here.  The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy.  A good example would be
'defang-admin at mydomain.com'
#***********************************************************************
$Administrator = 'postmaster at aive.it';

#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come.  A good example would be
# 'mimedefang at mydomain.com'.  Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mailer-daemon at aive.it';

#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************

# Set the next one if your mail client cannot handle nested multipart
# messages
$Stupidity{"flatten"} = 0;

# Set the next one if your mail client cannot handle multiple "inline"
# parts (*cough* Exchange *cough* Outlook)
$Stupidity{"NoMultipleInlines"} = 0;

#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
#  None
# %RETURNS:
#  Nothing
# %DESCRIPTION:
#  Called just before e-mail parts are processed
#***********************************************************************
#sub filter_begin {
#    # Only if you have NAI virus scanner, use this.  See the
mimedefang-filter
#    # man page for other virus scanners.
#    $VirusFound = message_contains_virus_nai();
#
#    # Example: Only allow mailing to "all at mycorp.com" from our mail
server
#    $OurMailServer = 192.168.7.4;
#    if ($RelayAddr ne $OurMailServer) {
# foreach $recip (@Recipients) {
#     if ($recip eq 'all at mycorp.com') {
#  action_bounce('Outsiders may not mail to all at mycorp.com');
#  last;
#     }
# }
#   }
#}

#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
#  None
# %RETURNS:
#  Nothing
# %DESCRIPTION:
#  Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin {
    # ALWAYS drop messages with suspicious chars in headers or body
    if ($SuspiciousCharsInHeaders || $SuspiciousCharsInBody) {
 #action_quarantine_entire_message();
 action_bounce("The message was rejected because of suspicious
characters in headers and/or body.");
 #if ($SuspiciousCharsInHeaders) {
 #    action_notify_administrator("Message quarantined because of
suspicious characters in headers");
 #} else {
 #    action_notify_administrator("Message quarantined because of
suspicious characters in body");
 #}
 # Do NOT allow message to reach recipient(s)
 #action_discard();
    }

    # action_rebuild() is DEPRECATED.  It causes all kinds of problems.
    # action_rebuild();
}

#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
#  entity -- a Mime::Entity object (see MIME-tools documentation for
details)
#  fname -- the suggested filename, taken from the MIME
Content-Disposition:
#           header.  If no filename was suggested, then fname is ""
#  ext -- the file extension (everything from the last period in the
name
#         to the end of the name, including the period.)
#  type -- the MIME type, taken from the Content-Type: header.
#
#  NOTE: There are two likely and one unlikely place for a filename to
#  appear in a MIME message:  In Content-Disposition: filename, in
#  Content-Type: name, and in Content-Description.  If you are paranoid,
#  you will use the re_match and re_match_ext functions, which return
true
#  if ANY of these possibilities match.  re_match checks the whole name;
#  re_match_ext checks the extension.  See the sample filter below for
usage.
# %RETURNS:
#  Nothing
# %DESCRIPTION:
# %DESCRIPTION:
#  This function is called once for each part of a MIME message.
#  There are many action_*() routines which can decide the fate
#  of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter {
    my($entity, $fname, $ext, $type) = @_;

    # For convenience, compute lower-case versions of filename and
extension
    my($lc_fname) = $fname;
    my($lc_ext) = $ext;

    $lc_fname =~ tr/A-Z/a-z/;
    $lc_ext =~ tr/A-Z/a-z/;

    ####################################################################
    #                                                                  #
    #                      Filter rules follow                         #
    #                                                                  #
    ####################################################################

    #-------------------------------------------------------------------
    # Quarantine viruses
    #-------------------------------------------------------------------
    # Only if you have NAI virus scanner, use this.  See the
mimedefang-filter
    # man page for other virus scanners.
    #if ($VirusFound && entity_contains_virus_nai($entity)) {
    # # Notify the sender if you desire
    # action_notify_sender("The attachment '$fname' was deleted.  It
contains\n".
    #        "a known virus.\nHere is the output from the virus
scanner:\n$VirusScannerMessages");

   #
    # return action_quarantine($entity, "The attachment $fname contains
a known virus.  It has been quarantined.\nHere is the output from the
virus scanner:\n$VirusScannerMessages");
    #}

    #-------------------------------------------------------------------
    # Quarantine possible executables.
    #-------------------------------------------------------------------

    if (re_match_ext($entity,
'^\.(exe|com|bat|vbs|scr|shs|dll|vxd|pif|reg|ocx|lnk|js|ini|mdb|wpd|wk4|
eml)$')){
 # Notify the sender if you desire
 #action_notify_sender("The attachment '$fname' was deleted.  We do
not\n".
 #       "accept attachments of type '$ext'.\n");

 action_notify_sender("The message was deleted.  We do not accept\n".
        "message with attachments of type '$ext'.\n");

 # Discard the message
 return action_discard();
 # Quarantine the attachment.
 #return action_quarantine($entity, "An attachment named $fname was
removed from this document as it\nconstituted a security hazard.  If you
require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
    }

    #-------------------------------------------------------------------
    # Accept any kind of textual attachment
    #-------------------------------------------------------------------
    if ($type =~ m+^text/+) {
 return action_accept();
    }

    # This type is generated by some buggy mail clients.
    if ($type eq "text") {
 return action_accept();
    }

    #-------------------------------------------------------------------
    # Messages (generated by mail transfer agents)
    #-------------------------------------------------------------------
    if ($type =~
m+^message/(rfc822|partial|news|delivery-status|disposition-notification
)$+) {
 return action_accept();
    }

    #-------------------------------------------------------------------
    # Images with stringent filename checks
    #-------------------------------------------------------------------
    if (($type eq "image/jpeg" && ($lc_ext eq ".jpg" || $lc_ext eq
".jpeg")) ||
 ($type eq "image/gif" && $lc_ext eq ".gif") ||
 ($type eq "image/bmp" && $lc_ext eq ".bmp") ||
 ($type eq "image/png" && $lc_ext eq ".png") ||
 ($type eq "image/tiff" && ($lc_ext eq ".tif" || $lc_ext eq ".tiff"))) {
 return action_accept();
    }

    #-------------------------------------------------------------------
    # PDF's are OK if the filename is sane
    #-------------------------------------------------------------------
    if ($type eq "application/pdf" && $lc_ext eq ".pdf") {
 return action_accept();
    }

    #-------------------------------------------------------------------
    # ZIP's are OK. My boss also want xls, doc, project and ppt
    #-------------------------------------------------------------------
    if (re_match_ext($entity,
'^\.(mpp|pps|xls|doc|ppt|zip|gz|tgz|Z)$')){
 return action_accept();
    }

    #-------------------------------------------------------------------
    # Don't do double-defanging on things we recognize as safe
    #-------------------------------------------------------------------
    if ($type eq "application/octet-stream" && $fname =~
/^defang-\d+\.binary$/) {
 return action_accept();
    }

    #-------------------------------------------------------------------
    # Drop anything else
    #-------------------------------------------------------------------
    #return action_drop_with_warning("An attachment named $fname was
removed from this document as it\nis of unknown type and may constitute
a security hazard.\nIf you require this document, please contact\nthe
sender and arrange an alternate means of receiving it.\n");
    return action_bounce("The message was rejected because it contains
an unknown attachment type.");

}


#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
#  oldfname -- the old file name of an attachment
#  fname -- the new "defanged" name
# %RETURNS:
#  A warning message
# %DESCRIPTION:
#  This function customizes the warning message when an attachment
#  is defanged.
#***********************************************************************
sub defang_warning {
    my($oldfname, $fname) = @_;
    return
 "An attachment named '$oldfname' was converted to '$fname'.\n" .
 "To recover the file, right-click on the attachment and Save As\n" .
 "'$oldfname'\n";
}

# DO NOT delete the next line, or Perl will complain.
1;

----- Original Message -----
From: "David F. Skoll" <dfs at roaringpenguin.com>
To: <mimedefang at lists.roaringpenguin.com>
Cc: <zlb at lsec.cc.ac.cn>
Sent: Wednesday, April 24, 2002 1:24 PM
Subject: Re: [Mimedefang] Patch for MIME::Tools


> On Wed, 24 Apr 2002, Marco Berizzi wrote:
>
> > Hi everybody. My filter mimedefang filter allow messages with
certain
> > attachment, and bounce the entire message for all the other.
> > This morning I have applied the MIME-tools patch. After this I have
> > tried to send a bogus message like this:
>
> > Content-Type: audio/x-wav; name=foo[1].doc
>
> Is it possible you're blocking audio/x-wav?
>
> --
> David.

More information about the MIMEDefang mailing list