[Mimedefang] unquarantining attachments
Matthew.van.Eerde at hbinc.com
Matthew.van.Eerde at hbinc.com
Fri Jun 24 11:37:23 EDT 2005
Rolf wrote:
>> Rolf wrote:
>>> I have been using
>>> cat HEADERS PART.1.HEADERS PART.1.BODY | sendmail -oi -Am -f `cat
>>> SENDER` `cat RECIPIENTS`> hello
> David F. Skoll wrote:
>>
>> I'm amazed that ever worked.
>>
>> There's no reliable way to do what you want. If you are concerned
>> that you might want to unquarantine something, you should use
>> quarantine_entire_message so that you have a copy of the original
>> full MIME message.
>
> Thank you very much.
>
> I shall do just that (which incidentally clarifies perfectly why
> quarantine_entire_message was designed to not affect the disposition
> of the message).
See
http://www.mimedefang.org/kwiki/index.cgi?UnquarantineMessage
http://www.mimedefang.org/kwiki/index.cgi?QuarantineManager
In addition, I have a custom unquarantining methodology. It probably won't work for many people because users are funny about admins touching "their" attachments, but it works for my office:
I ruthlessly quarantine based on extensions
http://www.mimedefang.org/kwiki/index.cgi?BadFilenameExtensions
I've modified mimedefang-filter's filter($$$$) subroutine as follows:
# return action_drop_with_warning("An attachment named $fname was removed
from this document as it\nconstituted a security hazard. If you require this do
cument, please contact\nthe sender and arrange an alternate means of receiving i
t.\n");
# change to
my $security_message =
$global_security_message . "\n" .
"This attachment was named \"" . $fname . "\"\n\n" .
"Quarantine info:\n" .
"unquarantine " . $hostname_for_security . " " .
get_quarantine_dir() . " " .
"PART." . (($QuarantineCount || 0) + 1) . ".BODY " .
"\"" . $fname . "\"\n";
return action_quarantine($entity, $security_message);
which appends an "unquarantine" command ($hostname_for_security is the FQDN of the host) specially designed to extract only the quarantined attachment
On my workstation I have PuTTY and a specially crafted unquarantine.bat:
@echo off
set unquarserver=%1
set unquardirectory=%2
set unquarbodypart=%3
set unquarfilename=%4
rem whole command should be copy/pasted from warning message
set unquaruser=(my username here)
echo Deleting and recreating working directory...
rmdir /s /q "C:\unquarantine_email"
mkdir C:\unquarantine_email
echo Retrieving %unquarfilename% from %unquarserver%...
call "C:\Program Files\putty\pscp.exe" %unquaruser%@%unquarserver%:%unquardirectory%/%unquarbodypart% C:\unquarantine_email\%unquarbodypart%
echo Copying C:\unquarantine_email\%unquarbodypart% as %unquarfilename%...
C:
cd \unquarantine_email
copy %unquarbodypart% %unquarfilename%
echo Make ABSOLUTELY SURE it's not a virus before sending it on!
echo Pressing a key will open the C:\unquarantine_email folder...
pause
explorer C:\unquarantine_email
When a user's attachment is quarantined, they forward me the quarantine notice. I copy and paste the command line to a cmd.exe shell, which retrieves the attachment for me. Then I email the attachment back to the user.
--
Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902
Hispanic Business Inc./HireDiversity.com Software Engineer
perl -e"map{y/a-z/l-za-k/;print}shift" "Jjhi pcdiwtg Ptga wprztg,"
More information about the MIMEDefang
mailing list