[Mimedefang] Skipping Mimedefang for several users
David F. Skoll
dfs at roaringpenguin.com
Thu Oct 31 20:53:00 EST 2002
On Thu, 31 Oct 2002, Philip Clever wrote:
> We have implemeted MIMEDefang system-wide. For 99.9% of our users this is
> great. However there are 4 of them right off the bat that insist their mail
> not be scanned at all. I suspect that as time goes on there will be more.
> However I cannot seem to make it work when trying to specify more than 1
> recipient. Has anyone done this sucessfully, and willing to share some
> code?
I wrote the code for a client. Here it is. It only runs the scanner
for addresses listed in /etc/mail/spamin. It should be a few minutes
work to modify it (for example) to run for everyone except people
in /etc/mail/spamout. That's left as an excercise for the reader. :-)
ONLY use this filter with Sendmail 8.12, and ONLY if you use the default
setup whereby locally-generated mail is queued in clientmqueue and sent
off via SMTP.
Regards,
David.
# -*- Perl -*-
#***********************************************************************
#
# mimedefang-filter
#
# Filter for ********************. Reads /etc/mail/spamin
# and only runs SpamAssassin for users in that file.
#
# Copyright (C) 2002 Roaring Penguin Software Inc.
#
# This program may be distributed under the terms of the GNU General
# Public License, Version 2, or (at your option) any later version.
#
#***********************************************************************
#***********************************************************************
# Set administrator's e-mail address here. The administrator receives
# quarantine messages and is listed as the contact for site-wide
# MIMEDefang policy. A good example would be 'defang-admin at mydomain.com'
#***********************************************************************
$AdminAddress = 'postmaster at localhost';
$AdminName = "MIMEDefang Administrator's Full Name";
# Set the spamdrop e-mail address
$SpamDrop = '<spamdrop at myaddr.com>';
# Next line is for Roaring Penguin testing only
#$SpamDrop = '<user9 at blacky.roaringpenguin.com>';
#***********************************************************************
# Set the e-mail address from which MIMEDefang quarantine warnings and
# user notifications appear to come. A good example would be
# 'mimedefang at mydomain.com'. Make sure to have an alias for this
# address if you want replies to it to work.
#***********************************************************************
$DaemonAddress = 'mimedefang at localhost';
#***********************************************************************
# If you set $AddWarningsInline to 1, then MIMEDefang tries *very* hard
# to add warnings directly in the message body (text or html) rather
# than adding a separate "WARNING.TXT" MIME part. If the message
# has no text or html part, then a separate MIME part is still used.
#***********************************************************************
$AddWarningsInline = 0;
#***********************************************************************
# Set various stupid things your mail client does below.
#***********************************************************************
# Set the next one if your mail client cannot handle nested multipart
# messages. DO NOT set this lightly; it will cause action_add_part to
# work rather strangely. Leave it at zero, even for MS Outlook, unless
# you have serious problems.
$Stupidity{"flatten"} = 0;
# Set the next one if your mail client cannot handle multiple "inline"
# parts.
$Stupidity{"NoMultipleInlines"} = 0;
# This procedure returns true for entities with bad filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{)';
# Do not allow:
# - curlies
# - bad extensions (possibly with trailing dots) at end or
# followed by non-alphanum
$re = '\.' . $bad_exts . '\.*([^-A-Za-z0-9_.,]|$)';
return re_match($entity, $re);
}
# Scan for a virus using the first supported virus scanner we find.
sub message_contains_virus () {
return message_contains_virus_avp() if ($Features{'Virus:AVP'});
return message_contains_virus_fprot() if ($Features{'Virus:FPROT'});
return message_contains_virus_fsav() if ($Features{'Virus:FSAV'});
return message_contains_virus_hbedv() if ($Features{'Virus:HBEDV'});
return message_contains_virus_nai() if ($Features{'Virus:NAI'});
return message_contains_virus_nvcc() if ($Features{'Virus:NVCC'});
return message_contains_virus_rav() if ($Features{'Virus:RAV'});
return message_contains_virus_sophie() if ($Features{'Virus:SOPHIE'});
return message_contains_virus_sophos() if ($Features{'Virus:SOPHOS'});
return message_contains_virus_trend() if ($Features{'Virus:TREND'});
return message_contains_virus_filescan() if ($Features{'Virus:FileScan'});
return message_contains_virus_clamav() if ($Features{'Virus:CLAMAV'});
return (wantarray ? (0, 'ok', 'ok') : 0);
}
# Scan for a virus using the first supported virus scanner we find.
sub entity_contains_virus ($) {
my($e) = @_;
return entity_contains_virus_avp($e) if ($Features{'Virus:AVP'});
return entity_contains_virus_fprot($e) if ($Features{'Virus:FPROT'});
return entity_contains_virus_fsav($e) if ($Features{'Virus:FSAV'});
return entity_contains_virus_hbedv($e) if ($Features{'Virus:HBEDV'});
return entity_contains_virus_nai($e) if ($Features{'Virus:NAI'});
return entity_contains_virus_nvcc($e) if ($Features{'Virus:NVCC'});
return entity_contains_virus_rav($e) if ($Features{'Virus:RAV'});
return entity_contains_virus_sophie($e) if ($Features{'Virus:SOPHIE'});
return entity_contains_virus_sophos($e) if ($Features{'Virus:SOPHOS'});
return entity_contains_virus_trend($e) if ($Features{'Virus:TREND'});
return entity_contains_virus_filescan($e) if ($Features{'Virus:FileScan'});
return entity_contains_virus_clamav($e) if ($Features{'Virus:CLAMAV'});
return (wantarray ? (0, 'ok', 'ok') : 0);
}
# Read /etc/mail/spamin unless it's already been read
sub read_spam_list () {
my($addr);
# Do nothing if already in memory
return if defined($SV_ReadSpamList);
# Read the file
unless(open(IN, "</etc/mail/spamin")) {
syslog('err', "Unable to read /etc/mail/spamin: $!");
return;
}
undef %SV_SpamAddresses;
while(<IN>) {
chomp;
# Trim leading/trailing whitespace
s/^\s*//;
s/\s*$//;
# Ignore blank lines and lines beginning with "#"
next if (/^\#/);
next if (/^$/);
# Make lower-case; remove angle-brackets
$addr = lc($_);
$addr =~ tr/<>//d;
$SV_SpamAddresses{$addr} = 1;
}
close(IN);
}
# Stream message if required. If some recipients are on spam
# list and others are not, re-mail two copies: One to the spam list
# and the other to those not on the spam list.
sub stream_by_spam_list () {
my(@on_list, @off_list, $recip);
foreach $recip (@Recipients) {
if (should_check_for_spam($recip)) {
push(@on_list, $recip);
} else {
push(@off_list, $recip);
}
}
if ($#on_list >= 0 && $#off_list >= 0) {
# Some on, some off -- remail
resend_message(@on_list);
resend_message(@off_list);
$TerminateAndDiscard = 1;
return 1;
}
return 0;
}
# Return true if we should scan for spam, false otherwise
sub should_check_for_spam ($) {
my($recip) = @_;
$recip = lc($recip);
$recip =~ tr/<>//d;
return 1 if (defined($SV_SpamAddresses{$recip}));
return 0;
}
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
# Load /etc/mail/spamin
read_spam_list();
if (stream_by_spam_list()) {
return;
}
# Scan for viruses if any virus-scanners are installed
my($code, $category, $action) = message_contains_virus();
$FoundVirus = ($category eq "virus");
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
#
# NOTE: There are two likely and one unlikely place for a filename to
# appear in a MIME message: In Content-Disposition: filename, in
# Content-Type: name, and in Content-Description. If you are paranoid,
# you will use the re_match and re_match_ext functions, which return true
# if ANY of these possibilities match. re_match checks the whole name;
# re_match_ext checks the extension. See the sample filter below for usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a MIME message.
# There are many action_*() routines which can decide the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
# Block message/partial parts
if (lc($type) eq "message/partial") {
action_quarantine_entire_message("Message quarantined because of message/partial type");
return action_discard();
}
# Virus scan
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = "";
($code, $category, $action) = entity_contains_virus($entity);
if ($category eq "virus") {
return action_quarantine($entity, "A known virus was discovered and deleted. Virus-scanner messages follow:\n$VirusScannerMessages\n\n");
}
}
if (filter_bad_filename($entity)) {
return action_quarantine($entity, "An attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
return action_quarantine($entity, "A non-multipart attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
# Clean up HTML -- DISABLED
#if ($Features{"HTMLCleaner"}) {
#if ($type eq "text/html") {
#return anomy_clean_html($entity);
#}
#}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools documentation for details)
# fname -- the suggested filename, taken from the MIME Content-Disposition:
# header. If no filename was suggested, then fname is ""
# ext -- the file extension (everything from the last period in the name
# to the end of the name, including the period.)
# type -- the MIME type, taken from the Content-Type: header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such as message/rfc822.
# You cannot replace the body (because multipart parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
action_notify_administrator("A MULTIPART attachment of type $type, named $fname was dropped.\n");
return action_drop_with_warning("An attachment of type $type, named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne "message/rfc822")) {
return action_drop_with_warning("A non-message/rfc822 attachment named $fname was removed from this document as it\nconstituted a security hazard. If you require this document, please contact\nthe sender and arrange an alternate means of receiving it.\n");
}
# Block message/partial parts
if (lc($type) eq "message/partial") {
action_quarantine_entire_message("Message quarantined because of message/partial type");
return action_discard();
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when an attachment
# is defanged.
#***********************************************************************
sub defang_warning ($$) {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to '$fname'.\n" .
"To recover the file, right-click on the attachment and Save As\n" .
"'$oldfname'\n";
}
# If SpamAssassin found SPAM, append report. We do it as a separate
# attachment of type text/plain
sub filter_end ($) {
my($entity) = @_;
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"} && should_check_for_spam($Recipients[0])) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger messages
# are extremely unlikely to be spam, and SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) = spam_assassin_check();
if ($hits >= $req) {
my($score, $orig_recips, $recip);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******) NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on a
# minimum number of asterisks...
action_change_header("X-Spam-Score", "$hits ($score) $names");
# Add header showing original recipients
$orig_recips = join(", ", @Recipients);
action_change_header("X-Original-Recipients", $orig_recips);
# Delete original recipients; add spamdrop recipient
foreach $recip (@Recipients) {
delete_recipient($recip);
}
add_recipient($SpamDrop);
}
}
}
}
# DO NOT delete the next line, or Perl will complain.
1;
More information about the MIMEDefang
mailing list