[Mimedefang] Quarantine_entire_message

Barry Byrne barry.byrne at wbtsystems.com
Tue Aug 20 04:54:00 EDT 2002 

Rachael:

How about something like:

	add_recipient("abuse\@myDomain.com");

 - Barry

--
Barry Byrne, IT Manager,
WBT Systems, Block 2, Harcourt Centre
Harcourt Street, Dublin 2, Ireland

Email:  barry.byrne at wbtsystems.com
Web:    www.wbtsystems.com

> -----Original Message-----
> From: mimedefang-admin at lists.roaringpenguin.com
> [mailto:mimedefang-admin at lists.roaringpenguin.com]On Behalf Of Rachael
> Stewart
> Sent: 19 August 2002 21:24
> To: 'mimedefang at lists.roaringpenguin.com'
> Subject: [Mimedefang] Quarantine_entire_message
>
>
> Hi,
>
> I'm new to MIMEDefang and Spam Assassin.  I'm using Mimedefang 2.17 and SA
> 2.31 on RedHat 7.2.  I want to keep a copy of all the messages that get
> tagged as spam so I can forward the false positives to the
> recipient.  Using
> action_quarantine_entire_message, I get the administrator alerts, but the
> email doesn't appear to get saved.  Following are my
> mimedefang-filter file
> and a copy of an admin alert.
>
> Any ideas?
>
> Thanks,
> Rachael Stewart
> Network Specialist I
> Texas State Library and Archives
> Ph: 512 463 5454
> Fax: 512 463 3637
> Email: rstewart at tsl.state.tx.us
>
>
> # -*- Perl -*-
> #***********************************************************************
> #
> # mimedefang-filter
> #
> # Suggested minimum-protection filter for Microsoft Windows clients, plus
> # SpamAssassin checks if SpamAssassin is installed.
> #
> # Copyright (C) 2002 Roaring Penguin Software Inc.
> #
> # This program may be distributed under the terms of the GNU General
> # Public License, Version 2, or (at your option) any later version.
> #
> # $Id: suggested-minimum-filter-for-windows-clients,v 1.38 2002/06/14
> 17:27:46 dfs Exp $
> #***********************************************************************
>
> #***********************************************************************
> # Set administrator's e-mail address here.  The administrator receives
> # quarantine messages and is listed as the contact for site-wide
> # MIMEDefang policy.  A good example would be 'defang-admin at mydomain.com'
> #***********************************************************************
> $AdminAddress = 'rstewart at tsl.state.tx.us';
> $AdminName = "Rachael Stewart";
>
> #***********************************************************************
> # Set the e-mail address from which MIMEDefang quarantine warnings and
> # user notifications appear to come.  A good example would be
> # 'mimedefang at mydomain.com'.  Make sure to have an alias for this
> # address if you want replies to it to work.
> #***********************************************************************
> $DaemonAddress = 'admincoyote at tsl.state.tx.us';
>
> #***********************************************************************
> # If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
> # to add warnings directly in the message body (text or html) rather
> # than adding a separate "WARNING.TXT" MIME part.  If the message
> # has no text or html part, then a separate MIME part is still used.
> #***********************************************************************
> $AddWarningsInline = 0;
>
> #***********************************************************************
> # Set various stupid things your mail client does below.
> #***********************************************************************
>
> # Set the next one if your mail client cannot handle nested multipart
> # messages.  DO NOT set this lightly; it will cause action_add_part to
> # work rather strangely.  Leave it at zero, even for MS Outlook, unless
> # you have serious problems.
> $Stupidity{"flatten"} = 0;
>
> # Set the next one if your mail client cannot handle multiple "inline"
> # parts.
> $Stupidity{"NoMultipleInlines"} = 0;
>
>
> # This procedure returns true for entities with bad filenames.
> sub filter_bad_filename ($) {
>     my($entity) = @_;
>     my($bad_exts, $re);
>
>     # Bad extensions
>     $bad_exts =
> '(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|
> isp|jse?|l
> ib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys
> |url|vb|vb
> e|vbs|vxd|wsc|wsf|wsh)';
>
>     # Do not allow:
>     # - curlies
>     # - bad extensions (possibly with trailing dots) at end or
>     #   followed by non-alphanum
>     $re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
>     return re_match($entity, $re);
> }
>
>
> #***********************************************************************
> # %PROCEDURE: filter_begin
> # %ARGUMENTS:
> #  None
> # %RETURNS:
> #  Nothing
> # %DESCRIPTION:
> #  Called just before e-mail parts are processed
> #***********************************************************************
> sub filter_begin () {
>     # ALWAYS drop messages with suspicious chars in headers or body
>     if ($SuspiciousCharsInHeaders || $SuspiciousCharsInBody) {
>         action_quarantine_entire_message();
>         if ($SuspiciousCharsInHeaders) {
>             action_notify_administrator("Message quarantined because of
> suspicious characters in headers");
>         } else {
>             action_notify_administrator("Message quarantined because of
> suspicious characters in body");
>         }
>         # Do NOT allow message to reach recipient(s)
>         return action_discard();
>     }
>
>     # Detect spam if SpamAssassin is installed.
>     if ((-s './INPUTMSG') <= (100 * 1024)) {
>         my ($hits, $req, $names, $report) = spam_assassin_check();
>         if ($hits >= $req && $hits < 10) {
>                 action_quarantine($entity, "Possible Spam");
>                 $QuarantineSubject = "Possible Spam (Coyote)";
>         } else {
>         if ($hits >= 10) {
>                 action_quarantine_entire_message();
>                 $QuarantineSubject = "Definitely Spam (Coyote)";
>         } else {
>                 action_accept();
>                 }
>         }
>         #if ($names) {
>         #    $report =~ s/SPAM: ---- Start SpamAssassin results\n//g;
>         #    $report =~ s/SPAM: \nSPAM: ---- End of SpamAssassin
> results\n//g;
>        # }
>     }
> }
>
> #***********************************************************************
> # %PROCEDURE: filter
> # %ARGUMENTS:
> #  entity -- a Mime::Entity object (see MIME-tools documentation for
> details)
> #  fname -- the suggested filename, taken from the MIME
> Content-Disposition:
> #           header.  If no filename was suggested, then fname is ""
> #  ext -- the file extension (everything from the last period in the name
> #         to the end of the name, including the period.)
> #  type -- the MIME type, taken from the Content-Type: header.
> #
> #  NOTE: There are two likely and one unlikely place for a filename to
> #  appear in a MIME message:  In Content-Disposition: filename, in
> #  Content-Type: name, and in Content-Description.  If you are paranoid,
> #  you will use the re_match and re_match_ext functions, which return true
> #  if ANY of these possibilities match.  re_match checks the whole name;
> #  re_match_ext checks the extension.  See the sample filter below for
> usage.
> # %RETURNS:
> #  Nothing
> # %DESCRIPTION:
> #  This function is called once for each part of a MIME message.
> #  There are many action_*() routines which can decide the fate
> #  of each part; see the mimedefang-filter man page.
> #***********************************************************************
> sub filter ($$$$) {
>     my($entity, $fname, $ext, $type) = @_;
>
>     return if message_rejected(); # Avoid unnecessary work
>
>
>     if (filter_bad_filename($entity)) {
>         return action_quarantine($entity, "An attachment named $fname was
> removed from this document as it\nconstituted a security hazard.  If you
> require this document, please contact\nthe sender and arrange an alternate
> means of receiving it.\n");
>     }
>
>     # eml is bad if it's not multipart
>     if (re_match($entity, '\.eml')) {
>         return action_quarantine($entity, "A non-multipart
> attachment named
> $fname was removed from this document as it\nconstituted a
> security hazard.
> If you require this document, please contact\nthe sender and arrange an
> alternate means of receiving it.\n");
>     }
>
>     return action_accept();
> }
>
> #***********************************************************************
> # %PROCEDURE: filter_multipart
> # %ARGUMENTS:
> #  entity -- a Mime::Entity object (see MIME-tools documentation for
> details)
> #  fname -- the suggested filename, taken from the MIME
> Content-Disposition:
> #           header.  If no filename was suggested, then fname is ""
> #  ext -- the file extension (everything from the last period in the name
> #         to the end of the name, including the period.)
> #  type -- the MIME type, taken from the Content-Type: header.
> # %RETURNS:
> #  Nothing
> # %DESCRIPTION:
> #  This is called for multipart "container" parts such as message/rfc822.
> #  You cannot replace the body (because multipart parts have no body),
> #  but you should check for bad filenames.
> #***********************************************************************
> sub filter_multipart ($$$$) {
>     my($entity, $fname, $ext, $type) = @_;
>
>     if (filter_bad_filename($entity)) {
>         action_notify_administrator("A MULTIPART attachment of type $type,
> named $fname was dropped.\n");
>         return action_drop_with_warning("An attachment of type
> $type, named
> $fname was removed from this document as it\nconstituted a
> security hazard.
> If you require this document, please contact\nthe sender and arrange an
> alternate means of receiving it.\n");
>     }
>
>     # eml is bad if it's not message/rfc822
>     if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
>         return action_drop_with_warning("A non-message/rfc822 attachment
> named $fname was removed from this document as it\nconstituted a security
> hazard.  If you require this document, please contact\nthe sender and
> arrange an alternate means of receiving it.\n");
>     }
>
>     return action_accept();
> }
>
>
> #***********************************************************************
> # %PROCEDURE: defang_warning
> # %ARGUMENTS:
> #  oldfname -- the old file name of an attachment
> #  fname -- the new "defanged" name
> # %RETURNS:
> #  A warning message
> # %DESCRIPTION:
> #  This function customizes the warning message when an attachment
> #  is defanged.
> #***********************************************************************
> sub defang_warning ($$) {
>     my($oldfname, $fname) = @_;
>     return
>         "An attachment named '$oldfname' was converted to '$fname'.\n" .
>         "To recover the file, right-click on the attachment and
> Save As\n" .
>         "'$oldfname'\n";
> }
>
> sub filter_end ($) {
>     my($entity) = @_;
>
>     # No sense doing any extra work
>     return if message_rejected();
>
> }
>
> # DO NOT delete the next line, or Perl will complain.
> 1;
>
> ##################################################################
> ##########
> #############################
> ##################################################################
> ##########
> #############################
>
> Received: from localhost.localdomain (Raven.tsl.state.tx.us
> [204.65.194.10])
> by exchange.tsl.state.tx.us with SMTP (Microsoft Exchange Internet Mail
> Service Version 5.5.2653.13)
> 	id RHVYV089; Mon, 19 Aug 2002 15:15:29 -0500
> Received: from localhost.localdomain (localhost [127.0.0.1])
> 	by localhost.localdomain (8.12.5/8.12.5) with ESMTP id
> g7J9Ds6K000882
> 	for <rstewart at tsl.state.tx.us>; Mon, 19 Aug 2002 15:13:54 +0600
> Received: (from defang at localhost)
> 	by localhost.localdomain (8.12.5/8.12.5/Submit) id g7J9DsI4000880
> 	for rstewart at tsl.state.tx.us; Mon, 19 Aug 2002 15:13:54 +0600
> Date: Mon, 19 Aug 2002 15:13:54 +0600
> Message-Id: <200208190913.g7J9DsI4000880 at localhost.localdomain>
> X-Authentication-Warning: localhost.localdomain: defang set sender to
> adminraven at tsl.state.tx.us using -f
> From: MIMEDefang <adminraven at tsl.state.tx.us>
> To: "Rachael Stewart" <rstewart at tsl.state.tx.us>
> Subject: Definitely Spam (Raven)
> X-Scanned-By: MIMEDefang 2.17 (www . roaringpenguin . com / mimedefang)
>
> An e-mail had 0 parts quarantined in the directory
> /var/spool/MIMEDefang/qdir-2002-08-19-15.13.54-001 on the mail server.
>
> The sender was '<ckly-return-135 at lists.mailthanks.com>'.
>
> The relay machine was s40.mailthanks.com (202.153.105.40).
>
> The entire message was quarantined in
> /var/spool/MIMEDefang/qdir-2002-08-19-15.13.54-001/ENTIRE_MESSAGE
>
> Recipient: <cburse at tsl.state.tx.us>
>
> ----------
> Here are the message headers:
> X-Info: To report abuse, contact abuse at mailthanks.com
> X-Mailthanks-Userid: ckly
> X-Mailthanks-ID: 1846017
> X-Mailthanks-Recipient: cburse at tsl.state.tx.us
> To: cburse at tsl.state.tx.us
> Date: Aug 20 2002 04:19:42
> X-Mailthanks-MsgID: ckly-135
> Subject: Your computer is soooooo SLOW!
> From: FreeSample Center <ckly at lists.mailthanks.com>
> MIME-Version: 1.0
> Content-Type: text/plain; charset="iso-8859-1"
>
> ----------
> Here are the warning details:
>
> Definitely Spam
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
>

More information about the MIMEDefang mailing list