[Mimedefang] Filtering attachment
David Va
david_lovesit at yahoo.com
Wed Mar 3 05:10:55 EST 2004
Please help me. I don't know if mimedefang can filter
attachement ext like .exe or .pif.
Please see my mimedefang-filter: (sorry for a long
one)
# The next lines force SpamAssassin modules to be
loaded and rules
# to be compiled immediately. This may improve
performance on busy
# mail servers. Comment the lines out if you don't
like them.
if ($Features{"SpamAssassin"}) {
spam_assassin_init()->compile_now(1) if
defined(spam_assassin_init());
# If you want to use auto-whitelisting:
# if (defined($SASpamTester)) {
# use Mail::SpamAssassin::DBBasedAddrList;
# my $awl =
Mail::SpamAssassin::DBBasedAddrList->new();
#
$SASpamTester->set_persistent_address_list_factory($awl)
if defined($awl);
# }
}
# This procedure returns true for entities with bad
filenames.
sub filter_bad_filename ($) {
my($entity) = @_;
my($bad_exts, $re);
# Bad extensions
$bad_exts =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|zip|\{[^\}]+\})';
# Do not allow:
# - CLSIDs {foobarbaz}
# - bad extensions (possibly with trailing dots)
at end or
# followed by non-alphanum
$re = '\.' . $bad_exts . '\.*([^-A-Aa-z0-9_.,])$';
return re_match($entity, $re);
}
# Scan for a virus using the first supported virus
scanner we find.
sub message_contains_virus () {
return message_contains_virus_avp() if
($Features{'Virus:AVP'});
return message_contains_virus_fprot() if
($Features{'Virus:FPROT'});
return message_contains_virus_fsav() if
($Features{'Virus:FSAV'});
return message_contains_virus_hbedv() if
($Features{'Virus:HBEDV'});
return message_contains_virus_nai() if
($Features{'Virus:NAI'});
return message_contains_virus_bdc() if
($Features{'Virus:BDC'});
return message_contains_virus_nvcc() if
($Features{'Virus:NVCC'});
return message_contains_virus_rav() if
($Features{'Virus:RAV'});
return message_contains_virus_sophie() if
($Features{'Virus:SOPHIE'});
return message_contains_virus_trophie() if
($Features{'Virus:TROPHIE'});
return message_contains_virus_sophos() if
($Features{'Virus:SOPHOS'});
return message_contains_virus_trend() if
($Features{'Virus:TREND'});
return message_contains_virus_filescan() if
($Features{'Virus:FileScan'});
return message_contains_virus_clamd() if
($Features{'Virus:CLAMD'});
return message_contains_virus_clamav() if
($Features{'Virus:CLAMAV'});
return message_contains_virus_carrier_scan() if
($Features{'Virus:SymantecCSS'});
return (wantarray ? (0, 'ok', 'ok') : 0);
}
# Scan for a virus using the first supported virus
scanner we find.
sub entity_contains_virus ($) {
my($e) = @_;
return entity_contains_virus_avp($e) if
($Features{'Virus:AVP'});
return entity_contains_virus_fprot($e) if
($Features{'Virus:FPROT'});
return entity_contains_virus_fsav($e) if
($Features{'Virus:FSAV'});
return entity_contains_virus_hbedv($e) if
($Features{'Virus:HBEDV'});
return entity_contains_virus_nai($e) if
($Features{'Virus:NAI'});
return entity_contains_virus_bdc($e) if
($Features{'Virus:BDC'});
return entity_contains_virus_nvcc($e) if
($Features{'Virus:NVCC'});
return entity_contains_virus_rav($e) if
($Features{'Virus:RAV'});
return entity_contains_virus_sophie($e) if
($Features{'Virus:SOPHIE'});
return entity_contains_virus_trophie($e) if
($Features{'Virus:TROPHIE'});
return entity_contains_virus_sophos($e) if
($Features{'Virus:SOPHOS'});
return entity_contains_virus_trend($e) if
($Features{'Virus:TREND'});
return entity_contains_virus_filescan($e) if
($Features{'Virus:FileScan'});
return entity_contains_virus_clamd($e) if
($Features{'Virus:CLAMD'});
return entity_contains_virus_clamav($e) if
($Features{'Virus:CLAMAV'});
return entity_contains_virus_carrier_scan($e) if
($Features{'Virus:SymantecCSS'});
return (wantarray ? (0, 'ok', 'ok') : 0);
}
#***********************************************************************
# %PROCEDURE: filter_begin
# %ARGUMENTS:
# None
# %RETURNS:
# Nothing
# %DESCRIPTION:
# Called just before e-mail parts are processed
#***********************************************************************
sub filter_begin () {
# ALWAYS drop messages with suspicious chars in
headers
if ($SuspiciousCharsInHeaders) {
md_graphdefang_log('suspicious_chars');
action_quarantine_entire_message("Message quarantined
because of suspicious characters in headers");
# Do NOT allow message to reach recipient(s)
return action_discard();
}
# Scan for viruses if any virus-scanners are
installed
my($code, $category, $action) =
message_contains_virus();
# Lower level of paranoia - only looks for actual
viruses
$FoundVirus = ($category eq "virus");
# Higher level of paranoia - takes care of
"suspicious" objects
# $FoundVirus = ($action eq "quarantine");
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus scanner:
code=$code, category=$category, action=$action");
}
}
#***********************************************************************
# %PROCEDURE: filter
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools
documentation for details)
# fname -- the suggested filename, taken from the
MIME Content-Disposition:
# header. If no filename was suggested,
then fname is ""
# ext -- the file extension (everything from the last
period in the name
# to the end of the name, including the
period.)
# type -- the MIME type, taken from the Content-Type:
header.
#
# NOTE: There are two likely and one unlikely place
for a filename to
# appear in a MIME message: In Content-Disposition:
filename, in
# Content-Type: name, and in Content-Description. If
you are paranoid,
# you will use the re_match and re_match_ext
functions, which return true
# if ANY of these possibilities match. re_match
checks the whole name;
# re_match_ext checks the extension. See the sample
filter below for usage.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This function is called once for each part of a
MIME message.
# There are many action_*() routines which can decide
the fate
# of each part; see the mimedefang-filter man page.
#***********************************************************************
sub filter ($$$$) {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary
work
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted
here");
return action_discard();
}
# Virus scan
if ($FoundVirus) {
my($code, $category, $action);
$VirusScannerMessages = "";
($code, $category, $action) =
entity_contains_virus($entity);
# If you are more paranoid, change to: if ($action eq
"quarantine") {
if ($category eq "virus") {
md_graphdefang_log('virus',$VirusName,
$RelayAddr);
# Bounce the mail!
action_bounce("Virus $VirusName found in mail -
rejected");
# But quarantine the part for examination later.
Comment
# the next line out if you don't want to bother.
action_quarantine($entity, "A known virus was
discovered and deleted. Virus-scanner messages
follow:\n$VirusScannerMessages\n\n");
return;
}
if ($action eq "tempfail") {
action_tempfail("Problem running virus-scanner");
md_syslog('warning', "Problem running virus
scanner: code=$code, category=$category,
action=$action");
}
}
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname,
$type);
return action_quarantine($entity, "CMAC MIS: An
attachment named $fname was removed from this document
as it\nconstituted a security hazard. If you require
this document, please contact\nthe sender and arrange
an alternate means of receiving it.\n");
}
# eml is bad if it's not multipart
if (re_match($entity, '\.eml')) {
md_graphdefang_log('non_multipart');
return action_quarantine($entity, "A non-multipart
attachment named $fname was removed from this document
as it\nconstituted a security hazard. If you require
this document, please contact\nthe sender and arrange
an alternate means of receiving it.\n");
}
# Clean up HTML if Anomy::HTMLCleaner is
installed.
if ($Features{"HTMLCleaner"}) {
if ($type eq "text/html") {
return anomy_clean_html($entity);
}
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: filter_multipart
# %ARGUMENTS:
# entity -- a Mime::Entity object (see MIME-tools
documentation for details)
# fname -- the suggested filename, taken from the
MIME Content-Disposition:
# header. If no filename was suggested,
then fname is ""
# ext -- the file extension (everything from the last
period in the name
# to the end of the name, including the
period.)
# type -- the MIME type, taken from the Content-Type:
header.
# %RETURNS:
# Nothing
# %DESCRIPTION:
# This is called for multipart "container" parts such
as message/rfc822.
# You cannot replace the body (because multipart
parts have no body),
# but you should check for bad filenames.
#***********************************************************************
sub filter_multipart ($$$$) {
my($entity, $fname, $ext, $type) = @_;
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname,
$type);
action_notify_administrator("A MULTIPART attachment
of type $type, named $fname was dropped.\n");
return action_drop_with_warning("An attachment of
type $type, named $fname was removed from this
document as it\nconstituted a security hazard. If you
require this document, please contact\nthe sender and
arrange an alternate means of receiving it.\n");
}
# eml is bad if it's not message/rfc822
if (re_match($entity, '\.eml') and ($type ne
"message/rfc822")) {
md_graphdefang_log('non_rfc822',$fname);
return action_drop_with_warning("A non-message/rfc822
attachment named $fname was removed from this document
as it\nconstituted a security hazard. If you require
this document, please contact\nthe sender and arrange
an alternate means of receiving it.\n");
}
# Block message/partial parts
if (lc($type) eq "message/partial") {
md_graphdefang_log('message/partial');
action_bounce("MIME type message/partial not accepted
here");
return;
}
return action_accept();
}
#***********************************************************************
# %PROCEDURE: defang_warning
# %ARGUMENTS:
# oldfname -- the old file name of an attachment
# fname -- the new "defanged" name
# %RETURNS:
# A warning message
# %DESCRIPTION:
# This function customizes the warning message when
an attachment
# is defanged.
#***********************************************************************
sub defang_warning ($$) {
my($oldfname, $fname) = @_;
return
"An attachment named '$oldfname' was converted to
'$fname'.\n" .
"To recover the file, right-click on the attachment
and Save As\n" .
"'$oldfname'\n";
}
# If SpamAssassin found SPAM, append report. We do it
as a separate
# attachment of type text/plain
sub filter_end ($) {
my($entity) = @_;
# If you want quarantine reports, uncomment next
line
# send_quarantine_notifications();
# IMPORTANT NOTE: YOU MUST CALL
send_quarantine_notifications() AFTER
# ANY PARTS HAVE BEEN QUARANTINED. SO IF YOU
MODIFY THIS FILTER TO
# QUARANTINE SPAM, REWORK THE LOGIC TO CALL
send_quarantine_notifications()
# AT THE END!!!
# No sense doing any extra work
return if message_rejected();
# Spam checks if SpamAssassin is installed
if ($Features{"SpamAssassin"}) {
if (-s "./INPUTMSG" < 100*1024) {
# Only scan messages smaller than 100kB. Larger
messages
# are extremely unlikely to be spam, and
SpamAssassin is
# dreadfully slow on very large messages.
my($hits, $req, $names, $report) =
spam_assassin_check();
my($score);
if ($hits < 40) {
$score = "*" x int($hits);
} else {
$score = "*" x 40;
}
# We add a header which looks like this:
# X-Spam-Score: 6.8 (******)
NAME_OF_TEST,NAME_OF_TEST
# The number of asterisks in parens is the
integer part
# of the spam score clamped to a maximum of 40.
# MUA filters can easily be written to trigger on
a
# minimum number of asterisks...
if ($hits >= $req) {
action_change_header("X-Spam-Score", "$hits ($score)
$names");
md_graphdefang_log('spam', $hits,
$RelayAddr);
# If you find the SA report useful, add it, I
guess...
action_add_part($entity, "text/plain", "-suggest",
"$report\n",
"SpamAssassinReport.txt", "inline");
} else {
# Delete any existing X-Spam-Score header?
action_delete_header("X-Spam-Score");
}
}
}
# I HATE HTML MAIL! If there's a
multipart/alternative with both
# text/plain and text/html parts, nuke the
text/html. Thanks for
# wasting our disk space and bandwidth...
# If you don't mind HTML mail, comment out the
next line.
remove_redundant_html_parts($entity);
md_graphdefang_log('mail_in');
}
# DO NOT delete the next line, or Perl will complain.
1;
#David added on 02 March 2004
$SyslogFacility = "mail";
md_syslog("info", "This is a test message to
/var/log/maillog");
#######################################################
1. Please tell me where and what to write in if I want
to filter and drop e-mail which has attachment file
ext. *.pif or *.exe
2. How to see mimedefang's log file of what its
activity about mail filtering?
Thanks in advance,
David
__________________________________
Do you Yahoo!?
Yahoo! Search - Find what youre looking for faster
http://search.yahoo.com
More information about the MIMEDefang
mailing list