[Mimedefang] what am I doing wrong?

Douglas J Hunley doug at hunley.homeip.net
Tue Jun 18 21:18:20 EDT 2002


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm getting a significant amount of 'filter timed out' messages. my system 
load is fine, so it's my filter. ideas anyone?
- -- 
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
	and http://jobs.linux-sxs.org

It's overkill, of course. But you can never have too much overkill.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQE9D9vdSrrWWknCnMIRAtNaAJ4lrXFVewmIUVcZs0mKCoWM3Tmt2ACfWhmk
WlFK3nipvBUKLrjZkUuRPL0=
=+Wzy
-----END PGP SIGNATURE-----
-------------- next part --------------
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
#***********************************************************************

#***********************************************************************
# Set administrator's e-mail address here.  The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy.  A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'defang-admin at linux-sxs.org';
$AdminName = "MIMEDefang Administrator";

#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come.  A good example would be
# 'mimedefang at mydomain.com'.  Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at linux-sxs.org';

#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part.  If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 1;

#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************

# Set the next one if your mail client cannot handle nested multipart
# messages.  DO NOT set this lightly; it will cause action_add_part to
# work rather strangely.  Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;

# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;


# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
    my($entity) = @_;
    my($bad_exts, $re);

    # Bad extensions
    $bad_exts = '(ade|adp|bas|bat|chm|cmd|com|cpl|crt|dll|exe|hlp|hta|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|reg|scr|sct|shb|shs|sys|url|vb|vbe|vbs|vxd|wsc|wsf|wsh)';

    # Do not allow:
    # - curlies
    # - bad extensions (possibly with trailing dots) at end or
    #   followed by non-alphanum
    $re = '(\{)|(\})|(\.' . $bad_exts . ')\.*([^-A-Za-z0-9_.]|$)';
    return re_match($entity, $re);
}

# Scan for a virus using the first supported virus scanner we find.
sub message_contains_virus () {
    return message_contains_virus_avp()      if ($Features{'Virus:AVP'});
    return message_contains_virus_fprot()    if ($Features{'Virus:FPROT'});
    return message_contains_virus_fsav()     if ($Features{'Virus:FSAV'});
    return message_contains_virus_hbedv()    if ($Features{'Virus:HBEDV'});
    return message_contains_virus_nai()      if ($Features{'Virus:NAI'});
    return message_contains_virus_rav()      if ($Features{'Virus:RAV'});
    return message_contains_virus_sophie()   if ($Features{'Virus:SOPHIE'});
    return message_contains_virus_sophos()   if ($Features{'Virus:SOPHOS'});
    return message_contains_virus_trend()    if ($Features{'Virus:TREND'});
    return message_contains_virus_filescan() if ($Features{'Virus:FileScan'});
    return (wantarray ? (0, 'ok', 'ok') : 0);
}

# Scan for a virus using the first supported virus scanner we find.
sub entity_contains_virus ($) {
    my($e) = @_;
    return entity_contains_virus_avp($e)      if ($Features{'Virus:AVP'});
    return entity_contains_virus_fprot($e)    if ($Features{'Virus:FPROT'});
    return entity_contains_virus_fsav($e)     if ($Features{'Virus:FSAV'});
    return entity_contains_virus_hbedv($e)    if ($Features{'Virus:HBEDV'});
    return entity_contains_virus_nai($e)      if ($Features{'Virus:NAI'});
    return entity_contains_virus_rav($e)      if ($Features{'Virus:RAV'});
    return entity_contains_virus_sophie($e)   if ($Features{'Virus:SOPHIE'});
    return entity_contains_virus_sophos($e)   if ($Features{'Virus:SOPHOS'});
    return entity_contains_virus_trend($e)    if ($Features{'Virus:TREND'});
    return entity_contains_virus_filescan($e) if ($Features{'Virus:FileScan'});
    return (wantarray ? (0, 'ok', 'ok') : 0);
}

#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
#  None
# %RETURNS:
#  Nothing
# %DESCRIPTION:
#  Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
    # Scan for viruses if any virus-scanners are installed
    $VirusScannerMessages = "";
    my($code, $category, $action) = message_contains_virus();
    $VirusScannerMessages =~ s/^\/var.*\n//g;
    $VirusScannerMessages =~ s/^\s+//;
    if ($action eq "quarantine") {
	action_bounce("File::Scan detected a VIRUS in your email. Rejected.");
	my $message =
                 "             VIRUS ALERT\n\n" .
                 "Our virus scanner found a VIRUS in your email to " .
                 "@Recipients.\n\nWe advise you to check your computer for " .
                 "viruses. We recommend the\nlatest version of the " .
                 "following anti-virus software:\n\n" .
                 " AVG  http://www.grisoft.com/\n" .
                 " (it's free for home use)\n" .
                 "\n BE SURE TO UPDATE YOUR ANTI-VIRUS SOFTWARE WITH " .
                 "THE LATEST VIRUS DEFINITIONS ROUTINELY.\n\nOur virus " .
                 "scanner reported the following:\n\n$VirusScannerMessages\n";
	if (open(IN, "<HEADERS")) {
		$message .="\n-----Original Message Headers-----\n";
		while (<IN>) {
			$message .= $_;
		}
		close(IN);
	}
	action_notify_sender($message);
	action_notify_administrator("-----Original Message-----\n" .
                 "From: $DaemonName <$DaemonAddress>\n" .
                 "Sent: " . localtime() . "\n" .
                 "To: $Sender\n" .
                 "Subject: MIMEDefang Notification.\n\n" .
                 $message);
	add_recipient($Administrator);
    } else {
	action_change_header("X-Virus-Scanned", "$action");
    }

    # check for Spam if SpamAssassin is installed
    if ($Features{"SpamAssassin"}) {
	($hits, $req, $names, $report) = spam_assassin_check();
#	my($hits, $req, $names, $report) = spam_assassin_check();
	if ($hits >=10) {
		action_quarantine_entire_message();
		action_bounce("SpamAssassin says this email is SPAM. Rejected.");
	}
    }
}

#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
#  entity -- a Mime::Entity object (see MIME-tools documentation for details)
#  fname -- the suggested filename, taken from the MIME Content-Disposition:
#           header.  If no filename was suggested, then fname is ""
#  ext -- the file extension (everything from the last period in the name
#         to the end of the name, including the period.)
#  type -- the MIME type, taken from the Content-Type: header.
#
#  NOTE: There are two likely and one unlikely place for a filename to
#  appear in a MIME message:  In Content-Disposition: filename, in
#  Content-Type: name, and in Content-Description.  If you are paranoid,
#  you will use the re_match and re_match_ext functions, which return true
#  if ANY of these possibilities match.  re_match checks the whole name;
#  re_match_ext checks the extension.  See the sample filter below for usage.
# %RETURNS:
#  Nothing
# %DESCRIPTION:
#  This function is called once for each part of a MIME message.
#  There are many action_*() routines which can decide the fate
#  of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
    my($entity, $fname, $ext, $type) = @_;

    return if message_rejected(); # Avoid unnecessary work


    if (filter_bad_filename($entity)) {
	return action_quarantine($entity, "An attachment named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
    }

    # eml is bad if it's not multipart
    if (re_match($entity, '\.eml')) {
	return action_quarantine($entity, "A non-multipart attachment named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
    }

    return action_accept();
}

#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
#  entity -- a Mime::Entity object (see MIME-tools documentation for details)
#  fname -- the suggested filename, taken from the MIME Content-Disposition:
#           header.  If no filename was suggested, then fname is ""
#  ext -- the file extension (everything from the last period in the name
#         to the end of the name, including the period.)
#  type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
#  Nothing
# %DESCRIPTION:
#  This is called for multipart "container" parts such as message/rfc822.
#  You cannot replace the body (because multipart parts have no body),
#  but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
    my($entity, $fname, $ext, $type) = @_;

    if (filter_bad_filename($entity)) {
	action_notify_administrator("A MULTIPART attachment of type $type, named $fname was dropped.\n");
	return action_drop_with_warning("An attachment of type $type, named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
    }

    # eml is bad if it's not message/rfc822
    if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
	return action_drop_with_warning("A non-message/rfc822 attachment named $fname was removed from this document as it\nconstituted a security hazard.  If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
    }

    return action_accept();
}


#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
#  oldfname -- the old file name of an attachment
#  fname -- the new "defanged" name
# %RETURNS:
#  A warning message
# %DESCRIPTION:
#  This function customizes the warning message when an attachment
#  is defanged.
#***********************************************************************
sub defang_warning ($$) {
    my($oldfname, $fname) = @_;
    return
	"An attachment named '$oldfname' was converted to '$fname'.\n" .
	"To recover the file, right-click on the attachment and Save As\n" .
	"'$oldfname'\n";
}

sub filter_end ($) {
    my($entity) = @_;

    # No sense doing any extra work
    return if message_rejected();

    # marking mail with SpamAssassin info
    if ($hits >= $req) {
	action_change_header("X-Spam-Warning","SpamAssassin says this message is SPAM");
	action_change_header("X-Spam-Status","Yes, hits=$hits, required=$req");
	my $graph = '*' x ($hits > 50 ? 50 : int($hits));
	action_change_header("X-Spam-Level","$graph $hits $graph");
       $Boilerplate = $report;
    } else {
	action_change_header("X-Spam-Status","No, hits=$hits, required=$req");
    }
}

# DO NOT delete the next line, or Perl will complain.
1;



More information about the MIMEDefang mailing list