[Mimedefang] opinions on this filter?
Douglas J Hunley
doug at hunley.homeip.net
Mon May 13 13:35:33 EDT 2002
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Just wondering if the gurus on this list could look over my proposed
mimedefang-filter and make any comments/suggestions on things to do
differently for better performance or if I've done something wrong, or
whatever. thanks!
- --
Douglas J Hunley (doug at hunley.homeip.net) - Linux User #174778
Admin: Linux StepByStep - http://www.linux-sxs.org
and http://jobs.linux-sxs.org
USER, n.:
The word computer professionals use when they mean "idiot".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE83/llSrrWWknCnMIRArCYAJ9+/8tXTxaYT3ALKZ4AVK+6+Obg+gCgmLV6
Nc+e6+x9/Ntd9dgbD00lgCs=
=T3BN
-----END PGP SIGNATURE-----
-------------- next part --------------
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'defang-admin at linux-sxs.org';
$AdminName = "MIMEDefang Administrator";
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at linux-sxs.org';
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle nested multipart
# messages
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts (*cough* Exchange *cough* Outlook)
$Stupidity{"NoMultipleInlines"} = 0;
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename {
my($entity) = @_;
return re_match($entity, '\.(bat|chm|cmd|com|cpl|dll|exe|hlp|hta|ini|js|lib|lnk|msi|msp|ocx|pif|reg|reg|scr|sct|shb|shs|sys|vbe|vbs?|vxd|wsf|wsh)');
}
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin {
$Boilerplate = "";
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 256*1024) {
# Only scan messages smaller than 256kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
if ($hits >= 15) {
action_quarantine_entire_message();
action_bounce("SpamAssassin says this email is SPAM. Rejected.");
}
if ($hits >= $req) {
action_change_header("X-Spam-Warning","SpamAssassin says this message is SPAM");
action_change_header("X-Spam-Status","Yes, hits=$hits, required=$req");
my $graph = '*' x ($hits > 50 ? 50 : int($hits));
action_change_header("X-Spam-Level","$graph $hits $graph");
$Boilerplate = $report;
}
}
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter {
my($entity, $fname, $ext, $type) = @_;
# scan for virus
if ($Features{"File::Scan"}) {
my($code, $category, $action) = entity_contains_virus_filescan($entity);
action_change_header("X-Virus-Scanned", $fname ? "$fname: $action" "$message: $action");
$VirusScannerMessages =~ s/^/var.*\n//g;
$VirusScannerMessages =~ s/^\s+//;
if ($action eq "quarantine") {
my $message =
" VIRUS ALERT\n\n" .
"Our virus scanner found a VIRUS in your email to " .
"@Recipients.\n\nWe advise you to check your computer for " .
"viruses. We recommend the\nlatest version of the " .
"following anti-virus software:\n\n" .
" AVG http://www.grisoft.com/\n" .
" (it's free for home use)\n" .
"\n BE SURE TO UPDATE YOUR ANTI-VIRUS SOFTWARE WITH " .
"THE LATEST VIRUS DEFINITIONS ROUTINELY.\n\nOur virus " .
"scanner reported the following:\n\n$VirusScannerMessages\n";
if (open(IN, "<HEADERS")) {
$message .="\n-----Original Message Headers-----\n";
while (<IN>) {
$message .= $_;
}
close(IN);
}
if ($Sender ne '<>') {
action_notify_sender($message);
}
action_notify_administrator("-----Original Message-----\n" .
"From: $DaemonName <$DaemonAddress>\n" .
"Sent: " . localtime() . "\n" .
"To: $Sender\n" .
"Subject: MIMEDefang Notification.\n\n" .
$message);
add_recipient($Administrator);
return action_quarantine($entity, " VIRUS" .
" ALERT\n\nOur virus scanner found a VIRUS in this " .
"email from $Sender.\nAn attachment named \'$fname\' " .
"was removed from this email because it\ncontained " .
"a virus. The virus scanner reported the following:\n\n" .
"$VirusScannerMessages\n");
}
}
# check for 'bad' files as attachments
if (filter_bad_filename($entity)) {
return action_replace_with_url($entity,
"/opt/apache/htdocs/defanged",
"http://hunley.homeip.net/defanged",
"An attachment named \'$fname\' was removed from this message " .
"as it\nconstituted a posible security hazard. If you require " .
"this attachment, please visit:\n\n\t_URL_\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
return action_replace_with_url($entity,
"/opt/apache/htdocs/defanged",
"http://hunley.homeip.net/defanged",
"An attachment named \'$fname\' was not attached as multi-part " .
"and thus\npresented a possible security hazard and was removed. " .
"\nIf you require this attachment, please visit:\n\n\t_URL_\n");
}
# Clean up HTML if Anomy::HTMLCleaner is installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
# store attachments bigger than 2Mb on the web server
# since they are "safe" at this point and since files
# really shouldn't be sent through email anyway
$size = (stat($entity->bodyhandle->path))[7];
if ($size > 2048000) {
action_replace_with_url($entity,
"/opt/apache/htdocs/defanged",
"http://hunley.homeip.net/defanged",
"An attachment named \'$fname\' was larger than 2Mb and thus " .
"was removed\n from this message. It may be retrieved by " .
"visiting:\n\n\t_URL_\n");
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
action_notify_administrator("A MULTIPART attachment of type $type, named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
return action_drop_with_warning("A non-message/rfc822 attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end {
my($entity) = @_;
# No sense doing any extra work
return if message_rejected();
if ($Boilerplate ne "") {
action_add_part($entity, "text/plain", "-suggest", "Boilerplate\n",
"SpamAssassinReport.txt", "inline");
}
}
# DO NOT delete the next line, or Perl will complain.
1;
More information about the MIMEDefang
mailing list