[Mimedefang] Replace Large Attachments with URL's
Kurt Kesler
atwork at keslers.net
Wed Jul 3 08:40:41 EDT 2002
Here it is.
Thanks,
Kurt
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Suggested minimum-protection filter for Microsoft Windows clients,
plus
# SpamAssassin checks if SpamAssassin is installed.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
# $Id: suggested-minimum-filter-for-windows-clients,v 1.34 2002/05/31
16:44:04 dfs Exp $
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be
'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'defang-admin at keslers.net';
$AdminName = "MIMEDefang Administrator's Full Name";
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at keslers.net';
#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 0;
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle nested multipart
# messages. DO NOT set this lightly; it will cause action_add_part to
# work rather strangely. Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts =
'(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';
# Do not allow:
# - curlies
# - bad extensions (possibly with trailing dots) at end or
# followed by non-alphanum
$re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
return re_match($entity, $re);
}
# sub test {
# my($bad_exts, $re);
# # Bad extensions
# $bad_exts =
'(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';
# # Do not allow:
# # - curlies
# # - bad extensions (possibly with trailing dots) at end or
# # followed by non-alphanum
# $re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
# while(<>) {
# chomp;
# print;
# if ($_ =~ /$re/i) {
# print " MATCHES";
# }
# print("\n");
# }
# }
# test();
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin {
# ALWAYS drop messages with suspicious chars in headers or body
if ($SuspiciousCharsInHeaders || $SuspiciousCharsInBody) {
action_quarantine_entire_message();
if ($SuspiciousCharsInHeaders) {
action_notify_administrator("Message quarantined because of
suspicious characters in headers");
} else {
action_notify_administrator("Message quarantined because of
suspicious characters in body");
}
# Do NOT allow message to reach recipient(s)
return action_discard();
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME
Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the
name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return
true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for
usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
return action_quarantine($entity, "An attachment named $fname
was removed from this document as
it\nconstituted a security hazard. If you require this document, please
contact\nthe sender and arrange an
alternate means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
return action_quarantine($entity, "A non-multipart attachment
named $fname was removed from this
document as it\nconstituted a security hazard. If you require this
document, please contact\nthe sender
and arrange an alternate means of receiving it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for
details)
# fname -- the suggested filename, taken from the MIME
Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the
name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as
message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
action_notify_administrator("A MULTIPART attachment of type
$type, named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type,
named $fname was removed from this
document as it\nconstituted a security hazard. If you require this
document, please contact\nthe sender
and arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
return action_drop_with_warning("A non-message/rfc822 attachment
named $fname was removed from this
document as it\nconstituted a security hazard. If you require this
document, please contact\nthe sender
and arrange an alternate means of receiving it.\n");
}
return action_accept();
}
#Added section for dealing with large attachments
#**********************************************************************
$size = (stat($entity->bodyhandle->path))[7];
if ($size > 10000000) {
return action_replace_with_url($entity,
"/usr/local/www/data/",
"http://www.keslers.net/",
"The attachment $fname was larger than 10,000,000 bytes.\n" .
"It was removed, but may be accessed at this URL:\n\n" .
"\t_URL_\n");
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save
As\n" .
"'$oldfname'\n";
}
# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end {
my($entity) = @_;
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 256*1024) {
# Only scan messages smaller than 256kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
if ($hits >= $req) {
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
action_change_header("X-Spam-Score", "$hits ($score)
$names");
action_quarantine_entire_message("$report\n");
# If you find the SA report useful, add it, I guess...
#action_add_part($entity, "text/plain", "-suggest",
# "$report\n",
# "SpamAssassinReport.txt", "inline");
# Do NOT allow message to reach recipient(s)
action_discard();
}
}
}
}
#-------------------------------------------------------------------
# Get rid of the hahaha at sexyfun.net to avoid bounces on <> address
#-------------------------------------------------------------------
if ($lc_fname eq 'joke.exe' || $lc_fname eq 'sexy virgin.scr' ||
$lc_fname eq 'midgets.scr' || $lc_fname eq 'dwarf4you.exe'){
return action_bounce("The attachment $lc_fname contains a virus:
[W32/Hybris.gen\@MM virus]");
}
# DO NOT delete the next line, or Perl will complain.
1;
"David F. Skoll" wrote:
>
> On Tue, 2 Jul 2002, Kurt Kesler wrote:
>
> > Here are the results from mimedefang.pl test:
> > su-2.05a# mimedefang.pl -f mimedefang-filter-with-sizelimit -test
>
> > Can't call method "bodyhandle" on an undefined value at
> > mimedefang-filter-with-sizelimit line 195.
>
> Well, I'd have to see your entire filter to figure this one out.
>
> Regards,
>
> David.
>
> _______________________________________________
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list