[Mimedefang] Two questions

Ole Craig olc at cs.umass.edu
Tue Aug 30 16:11:29 EDT 2005 

On 08/30/05 at 14:47, 'twas brillig and Jim McCullars scrobe:
[...]
> > 2) Does mimedefang have a way to detect and deny encrypted archives
> > (like encrypted zip files), while still allowing through unencrypted
> > archives.  (it's ok if zip files are the only such archive)
> 
>    You could do something like this (untested!) in sub filter():
[...]

Here's our version. It's been in production for well over a year, so I
guess it qualifies as "somewhat-tested"...
----
# within filter_initialize ()
    use Archive::Zip qw( :ERROR_CODES :CONSTANTS );
# [...]


sub filter ($$$$) {
    my($entity, $fname, $ext, $type) = @_;
    return if message_rejected(); # Avoid unnecessary effort

# check for banned files in ZIP archives. Requires
# Archive::Zip. Adapted from/inspired by code from Michal Jankowski
# and Paul Murphy on MIMEDefang-users list.
    if (lc($ext) =~ /\.zip$/) {
        my $path = $entity->bodyhandle->path;
        my $zipfile = Archive::Zip->new();
        if ($zipfile->read($path) == AZ_OK) {
            md_syslog('debug', "Unpacking/checking ZIP archive in
$path");
            if (defined(&Archive::Zip::tempFileName)) {
                my $tmpfn = Archive::Zip::tempFileName('.');
            } else {
                my $tmpfn = Archive::Zip::tempFile('.');
            }
            my @contents = $zipfile->members();
            foreach my $content (@contents) {
                my $fn = $content->fileName();
                my $fsize = $content->uncompressedSize();
                md_syslog('debug', "Checking zipfile contents $fn,
size=$fsize");
                # unpacked size limit
                if ($fsize > 50e6) {
                    md_graphdefang_log('Zip archive contents too big
', $fn, $RelayAddr);
                    return action_bounce("rejection: possible DOS
attack: overlarge archive content, file $fn, size=$fsize");
                }
                # quarantine encrypted files (Bagle-H and similar)
                if ($content->isEncrypted()) {
                    md_syslog('debug', "Checking encrypted ZIP content
$fn");
                    my $badex =
'(ade|adp|app|asd|asf|asx|bas|bat|chm|cmd|com|cpl|crt|dll|exe|fxp|hlp|hta|hto|inf|ini|ins|isp|jse?|lib|lnk|mdb|mde|msc|msi|msp|mst|ocx|pcd|pif|prg|reg|scr|sct|sh|shb|shs|sys|url|vb|vbe|vbs|vcs|vxd|wmd|wms|wmz|wsc|wsf|wsh|zip|\{[^\}]+\})';
                    my $regx = '\.' . $badex .
'\.*([^-A-Za-z0-9_.,]|$)';
                    if (lc($fn) =~ $regx) {
                        md_graphdefang_log('crypt_bad_ext', $fn,
$RelayAddr);
                        action_quarantine_entire_message("encrypted
ZIP file with executable content");
                        return action_replace_with_warning("An
encrypted ZIP archive containing \"$fn\" was removed \nfrom this
document as it constituted a likely security hazard \n(cf. Bagel worm
or similar). If you require this document, \nplease contact your
friendly neighborhood mail admin. \n\n        Otherwise, the
quarantined content will be deleted in two weeks.\n");
                    }
                    # no exe content, just log it
                    md_syslog('warning', "Encrypted file $fn in zip
archive");
                }
                # could put extra virus checking here but clamav
should already
be checking unencrypted zips
            }
        } else {
            md_syslog('warning', "Zipfile read returned error");
        }
    }
# [...]


		Ole
-- 
Ole Craig * UNIX, linux, SMTP-fu; news, web; SGI martyr * admin-at-large

   Need a seasoned *NIX admin in the Denver/Boulder area? Hire me!
        http://www.cs.umass.edu/~olc/pub/olc-resume.txt

More information about the MIMEDefang mailing list