[Mimedefang] Drop mails with pif attachements

Whit Blauvelt whit at transpect.com
Thu Sep 4 13:12:01 EDT 2003


On Thu, Sep 04, 2003 at 05:47:31PM +0200, Martin Bene wrote:

> action_bounce rejects/bounces at the smtp level, i.e the reception of the
> email is denied with an emtp error code. 

The complication comes (I've learned) when mimedefang is run on the primary
MX, but there's also a secondary, spooling MX without it. In this case
action_bounce means that the primary domain won't accept from the spool, but
since the spooling system is no longer in negotiation with the originating
system, its only option is to eventually generate an e-mail to the From
address about the failure to deliver - this after having the garbage clog
space on the drive there for some time. This can be dealt with by bouncing
anything with bad attachments coming in from other addresses, but discarding
it if from the secondary MX spool. What I have is:

At top:

#***********************************************************************
# Secondary MX IP address
#***********************************************************************
$SecondaryMX = 'xx.xxx.xx.xxx';

And in place of the stock "if (filter_bad_filename($entity))" conditional:

    if (filter_bad_filename($entity)) {
        if ($RelayAddr eq $SecondaryMX) {
                md_syslog('info',"$MsgID: DISCARD: $Sender: $Subject: $fname");
                action_discard();
        } else {
                md_syslog('info',"$MsgID: REJECT: $Sender: $Subject");
                action_bounce("Attachment $fname - filetype not allowed here");
        }
    }

Note this bounces or discards _anything_ with a suspect attachment. Others
may want to be more conservative and stick with pif's and scr's.

It does look like at least some variants of Sobig, faced with a bounce from
the primary MX, are smart enough to try the secondary. Any legitimate e-mail
which happens to have a bad attachment should still try the primary MX first
and return the bounce message to the sender (right?), so the only time
something would fall into a hole without notice is if the primary MX is
really unavailable, I think.

Whit



More information about the MIMEDefang mailing list