[Mimedefang] Quarantine_entire_message
Rachael Stewart
rstewart at tsl.state.tx.us
Mon Aug 19 16:25:01 EDT 2002
Hi,
I'm new to MIMEDefang and Spam Assassin. I'm using Mimedefang 2.17 and SA
2.31 on RedHat 7.2. I want to keep a copy of all the messages that get
tagged as spam so I can forward the false positives to the recipient. Using
action_quarantine_entire_message, I get the administrator alerts, but the
email doesn't appear to get saved. Following are my mimedefang-filter file
and a copy of an admin alert.
Any ideas?
Thanks,
Rachael Stewart
Network Specialist I
Texas State Library and Archives
Ph: 512 463 5454
Fax: 512 463 3637
Email: rstewart at tsl.state.tx.us
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients, plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: suggested-minimum-filter-for-windows-clients,v 1.38 2002/06/14
17:27:46 dfs Exp $
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'rstewart at tsl.state.tx.us';
$AdminName = "Rachael Stewart";
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'admincoyote at tsl.state.tx.us';
#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 0;
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle nested multipart
# messages. DO NOT set this lightly; it will cause action_add_part to
# work rather strangely. Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts =
'(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|l
ib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vb
e|vbs|vxd|wsc|wsf|wsh)';
# Do not allow:
# - curlies
# - bad extensions (possibly with trailing dots) at end or
# followed by non-alphanum
$re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
return re_match($entity, $re);
}
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
# ALWAYS drop messages with suspicious chars in headers or body
if ($SuspiciousCharsInHeaders || $SuspiciousCharsInBody) {
action_quarantine_entire_message();
if ($SuspiciousCharsInHeaders) {
action_notify_administrator("Message quarantined because of
suspicious characters in headers");
} else {
action_notify_administrator("Message quarantined because of
suspicious characters in body");
}
# Do NOT allow message to reach recipient(s)
return action_discard();
}
# Detect spam if SpamAssassin is installed.
if ((-s './INPUTMSG') <= (100 * 1024)) {
my ($hits, $req, $names, $report) = spam_assassin_check();
if ($hits >= $req && $hits < 10) {
action_quarantine($entity, "Possible Spam");
$QuarantineSubject = "Possible Spam (Coyote)";
} else {
if ($hits >= 10) {
action_quarantine_entire_message();
$QuarantineSubject = "Definitely Spam (Coyote)";
} else {
action_accept();
}
}
#if ($names) {
# $report =~ s/SPAM: ---- Start SpamAssassin results\n//g;
# $report =~ s/SPAM: \nSPAM: ---- End of SpamAssassin
results\n//g;
# }
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for
usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (filter_bad_filename($entity)) {
return action_quarantine($entity, "An attachment named $fname was
removed from this document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and arrange an alternate
means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
return action_quarantine($entity, "A non-multipart attachment named
$fname was removed from this document as it\nconstituted a security hazard.
If you require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
action_notify_administrator("A MULTIPART attachment of type $type,
named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named
$fname was removed from this document as it\nconstituted a security hazard.
If you require this document, please contact\nthe sender and arrange an
alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
return action_drop_with_warning("A non-message/rfc822 attachment
named $fname was removed from this document as it\nconstituted a security
hazard. If you require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning ($$) {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
sub filter_end ($) {
my($entity) = @_;
# No sense doing any extra work
return if message_rejected();
}
# DO NOT delete the next line, or Perl will complain.
1;
############################################################################
#############################
############################################################################
#############################
Received: from localhost.localdomain (Raven.tsl.state.tx.us [204.65.194.10])
by exchange.tsl.state.tx.us with SMTP (Microsoft Exchange Internet Mail
Service Version 5.5.2653.13)
id RHVYV089; Mon, 19 Aug 2002 15:15:29 -0500
Received: from localhost.localdomain (localhost [127.0.0.1])
by localhost.localdomain (8.12.5/8.12.5) with ESMTP id
g7J9Ds6K000882
for <rstewart at tsl.state.tx.us>; Mon, 19 Aug 2002 15:13:54 +0600
Received: (from defang at localhost)
by localhost.localdomain (8.12.5/8.12.5/Submit) id g7J9DsI4000880
for rstewart at tsl.state.tx.us; Mon, 19 Aug 2002 15:13:54 +0600
Date: Mon, 19 Aug 2002 15:13:54 +0600
Message-Id: <200208190913.g7J9DsI4000880 at localhost.localdomain>
X-Authentication-Warning: localhost.localdomain: defang set sender to
adminraven at tsl.state.tx.us using -f
From: MIMEDefang <adminraven at tsl.state.tx.us>
To: "Rachael Stewart" <rstewart at tsl.state.tx.us>
Subject: Definitely Spam (Raven)
X-Scanned-By: MIMEDefang 2.17 (www . roaringpenguin . com / mimedefang)
An e-mail had 0 parts quarantined in the directory
/var/spool/MIMEDefang/qdir-2002-08-19-15.13.54-001 on the mail server.
The sender was '<ckly-return-135 at lists.mailthanks.com>'.
The relay machine was s40.mailthanks.com (202.153.105.40).
The entire message was quarantined in
/var/spool/MIMEDefang/qdir-2002-08-19-15.13.54-001/ENTIRE_MESSAGE
Recipient: <cburse at tsl.state.tx.us>
----------
Here are the message headers:
X-Info: To report abuse, contact abuse at mailthanks.com
X-Mailthanks-Userid: ckly
X-Mailthanks-ID: 1846017
X-Mailthanks-Recipient: cburse at tsl.state.tx.us
To: cburse at tsl.state.tx.us
Date: Aug 20 2002 04:19:42
X-Mailthanks-MsgID: ckly-135
Subject: Your computer is soooooo SLOW!
From: FreeSample Center <ckly at lists.mailthanks.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
----------
Here are the warning details:
Definitely Spam
More information about the MIMEDefang
mailing list