[Mimedefang] Feature / SOP Request
Paul Whittney
pwhittney at net.bacconsulting.com
Thu Apr 29 14:45:49 EDT 2004
Already using it...
Its works for me, but it's no way optimized:
(Sorry, word wrapping may cause some issues...)
--- code ---
sub filter_bad_filename_paw ($) {
my($entity) = @_;
my($bad_exts, $re, $result, $quar, $qre, $quar_exts);
$bad_exts = '(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fx
p|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|p
rg|reg|scr|sct|sh|shb|shs|sys|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|\{[^\}]
+\})';
$quar_exts = '(dll|pif|scr)';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots) at end
$re = '\.' . $bad_exts . '\.*$';
$qre = '\.' . $quar_exts . '\.*$';
$result = re_match($entity, $re);
$quar = re_match($entity, $qre);
return ($result, $quar);
}
--- end code ---
Then, to use it, alter the filter_bad_filename references to:
--- code ---
# PAW Change, bad filenames, with Really bad filename checking
($res,$quar) = filter_bad_filename_paw($entity);
if ($quar) {
md_graphdefang_log('bad_filename_paw', $fname, $type);
action_quarantine($entity,"Message quarantined because of bad " .
"filename extension in part\n" .
" ** NOTE ** This email was silently discarded\n" .
"-emailAdmin\n");
return action_discard();
}
if ($res) {
md_graphdefang_log('bad_filename', $fname, $type);
return action_quarantine($entity, "An attachment named $fname " .
"was removed from this document as it\n" .
"constituted a security hazard. If you require this " .
"document, please contact\n".
"the sender and arrange an alternate means of receiving it.\n");
}
--- end code ---
Someone could do a batter job, I admit... Also, a bounce might be a better
idea, but the Mail server would have to accept nearly all, if not all,
the email anyway... Depends if you like giving an error, or silent
discard.
In fact, I found that a bounce returned the whole email to me,
including the attachment, which caused the possible forged From:
address to get what ever was bad... Thoughts?
Note: The list of extensions might be different from what is in use..
I didn't add to CVS until after I did the function, so I don't if I
changed it or not.
-Paul Whittney
On Wed, Apr 28, 2004 at 02:47:14PM -0400, Kevin A. McGrail wrote:
> Split the bad_exts into two lists: bad_exts and REALLY_bad_exts.
>
> Add things are NEVER legitimate mail (like .scr and .pif) to
> really_bad_exts.
>
> Have this really_bad_exts checked during the virus routine so that those
> mails can be silently discarded. False positives are nil and the users are
> always confused.
>
> Then the bad_exts list can still contain .exe's etc. that might need to be
> quarantined.
>
> KAM
>
> _______________________________________________
> Visit http://www.mimedefang.org and http://www.canit.ca
> MIMEDefang mailing list
> MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
More information about the MIMEDefang
mailing list