[Mimedefang] Request for suggestions: releasing quarantined messages

[David F. Skoll]

On Fri, 03 May 2002 10:30:46 -0600 "Ashley M. Kirchner"
<ashley at pcraft.com> wrote:

> So, I need of a way where the recipient would get the quarantine
> message (easy to do), and some solution for them to trigger that
> message to come through should they want it.  Now, David said
> authorizing messages through email (via an X-Header flag) is a bad
> idea because mail can be easily spoofed.  I agree with this.  So what
> other solutions are there, short from coding some type of (web?)
> interface that would allow said recipient to discard/authorize or
> whatever?

My thoughts:  When you quarantine the entire message, create a file
in the quarantine directory called HASH which contains the SHA1 hash
of the message and some secret (no error checking in example below:)

if ($condition) {
    action_quarantine_entire_message();
    my($ctx, $chunk, $hash);
    $ctx = Digest::SHA1->new;
    $ctx->add("MyVerificationSecret");
    open(IN, "<INPUTMSG");
    read IN, $chunk, 16384;
    $ctx->add($chunk);
    close(IN);
    open(OUT, ">$QuarantineSubdir/HASH");
    $hash = $ctx->hexdigest;
    print OUT "$hash\n";
    close(OUT);
    # Send a message to recipient(s) that they can release
    # $QuarantineSubdir if they supply $hash
}

The "hash" file contains a hash which people cannot guess unless they
(1) know your verification secret and the first 16KB of the message, or
(2) can break SHA1. :-)  (You need the verification secret; otherwise,
the sender of the message could release it...)

Then have a little Perl script which listens for "release" requests.
The request looks something like this:

Subject: RELEASE /var/spool/MIMEDefang/qdir-xxx ab7b345ba7b7b...

where "/var/.../qdir-xxx" is the quarantine directory, and "ab7b345ba7b7b..."
is the hash.  If the hash matches, release the message.

It's a few hours of Perl scripting.

Regards,

David.