[Mimedefang] unquarantining attachments

Matthew.van.Eerde at hbinc.com Matthew.van.Eerde at hbinc.com
Fri Jun 24 11:37:23 EDT 2005 

Rolf wrote:
>> Rolf wrote:
>>> I have been using
>>> cat HEADERS PART.1.HEADERS PART.1.BODY | sendmail -oi -Am -f `cat
>>> SENDER` `cat RECIPIENTS`> hello
> David F. Skoll wrote:
>> 
>> I'm amazed that ever worked.
>> 
>> There's no reliable way to do what you want.  If you are concerned
>> that you might want to unquarantine something, you should use
>> quarantine_entire_message so that you have a copy of the original
>> full MIME message. 
> 
> Thank you very much.
> 
> I shall do just that (which incidentally clarifies perfectly why
> quarantine_entire_message was designed to not affect the disposition
> of the message).

See
http://www.mimedefang.org/kwiki/index.cgi?UnquarantineMessage
http://www.mimedefang.org/kwiki/index.cgi?QuarantineManager

In addition, I have a custom unquarantining methodology.  It probably won't work for many people because users are funny about admins touching "their" attachments, but it works for my office:

I ruthlessly quarantine based on extensions
http://www.mimedefang.org/kwiki/index.cgi?BadFilenameExtensions

I've modified mimedefang-filter's filter($$$$) subroutine as follows:
#       return action_drop_with_warning("An attachment named $fname was removed
from this document as it\nconstituted a security hazard.  If you require this do
cument, please contact\nthe sender and arrange an alternate means of receiving i
t.\n");
# change to
        my $security_message =
                $global_security_message . "\n" .
                "This attachment was named \"" . $fname . "\"\n\n" .
                "Quarantine info:\n" .
                "unquarantine " . $hostname_for_security . " " .
                get_quarantine_dir() . " " .
                "PART." . (($QuarantineCount || 0) + 1) . ".BODY " .
                "\"" . $fname . "\"\n";
        return action_quarantine($entity, $security_message);

which appends an "unquarantine" command ($hostname_for_security is the FQDN of the host) specially designed to extract only the quarantined attachment

On my workstation I have PuTTY and a specially crafted unquarantine.bat:

@echo off
set unquarserver=%1
set unquardirectory=%2
set unquarbodypart=%3
set unquarfilename=%4
rem whole command should be copy/pasted from warning message
set unquaruser=(my username here)

echo Deleting and recreating working directory...
rmdir /s /q "C:\unquarantine_email"
mkdir C:\unquarantine_email

echo Retrieving %unquarfilename% from %unquarserver%...
call "C:\Program Files\putty\pscp.exe" %unquaruser%@%unquarserver%:%unquardirectory%/%unquarbodypart% C:\unquarantine_email\%unquarbodypart%

echo Copying C:\unquarantine_email\%unquarbodypart% as %unquarfilename%...
C:
cd \unquarantine_email
copy %unquarbodypart% %unquarfilename%

echo Make ABSOLUTELY SURE it's not a virus before sending it on!
echo Pressing a key will open the C:\unquarantine_email folder...
pause
explorer C:\unquarantine_email

When a user's attachment is quarantined, they forward me the quarantine notice.  I copy and paste the command line to a cmd.exe shell, which retrieves the attachment for me.  Then I email the attachment back to the user.

-- 
Matthew.van.Eerde (at) hbinc.com                 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com         Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"

More information about the MIMEDefang mailing list