[Mimedefang] Feature / SOP Request

Paul Whittney pwhittney at net.bacconsulting.com
Thu Apr 29 14:45:49 EDT 2004 

Already using it...

Its works for me, but it's no way optimized:

(Sorry, word wrapping may cause some issues...)

--- code ---

sub filter_bad_filename_paw ($) {
	my($entity) = @_;
	my($bad_exts, $re, $result, $quar, $qre, $quar_exts);

	$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|p
rg|reg|scr|sct|sh|shb|shs|sys|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]
+\})';
	$quar_exts = '(dll|pif|scr)';

	# Do not allow:
	# - CLSIDs  {foobarbaz}
	# - bad extensions (possibly with trailing dots) at end
	$re = '\.' . $bad_exts . '\.*$';
	$qre = '\.' . $quar_exts . '\.*$';
	$result = re_match($entity, $re);
	$quar = re_match($entity, $qre);
	return ($result, $quar);
}

--- end code ---

Then, to use it, alter the filter_bad_filename references to:

--- code ---
	# PAW Change, bad filenames, with Really bad filename checking
	($res,$quar) = filter_bad_filename_paw($entity);
	if ($quar) {
		md_graphdefang_log('bad_filename_paw', $fname, $type);
		action_quarantine($entity,"Message quarantined because of bad " .
			"filename extension in part\n" . 
			" ** NOTE ** This email was silently discarded\n" .
			"-emailAdmin\n");
		return action_discard();
	}
    if ($res) {
        md_graphdefang_log('bad_filename', $fname, $type);
        return action_quarantine($entity, "An attachment named $fname " .
			"was removed from this document as it\n" .
			"constituted a security hazard.  If you require this " .
			"document, please contact\n".
			"the sender and arrange an alternate means of receiving it.\n");
    }
--- end code ---

Someone could do a batter job, I admit... Also, a bounce might be a better
idea, but the Mail server would have to accept nearly all, if not all,
the email anyway... Depends if you like giving an error, or silent
discard.

In fact, I found that a bounce returned the whole email to me, 
including the attachment, which caused the possible forged From:
address to get what ever was bad... Thoughts?

Note: The list of extensions might be different from what is in use..
I didn't add to CVS until after I did the function, so I don't if I
changed it or not.

-Paul Whittney

On Wed, Apr 28, 2004 at 02:47:14PM -0400, Kevin A. McGrail wrote:
> Split the bad_exts into two lists: bad_exts and REALLY_bad_exts.
> 
> Add things are NEVER legitimate mail (like .scr and .pif) to
> really_bad_exts.
> 
> Have this really_bad_exts checked during the virus routine so that those
> mails can be silently discarded.  False positives are nil and the users are
> always confused.
> 
> Then the bad_exts list can still contain .exe's etc. that might need to be
> quarantined.
> 
> KAM
> 
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

More information about the MIMEDefang mailing list