[Mimedefang] Amusing coincidence
Paul Murphy
pjm at ousekjarr.org
Fri Apr 14 06:01:59 EDT 2006
Fred,
> The action_quarantine message was put into the email when
> the attachment was stripped out. However, the attachment did not
> actually end up in the quarantine directory!
>
> ===================================================
> sub filter_multipart ($$$$) {
> my($entity, $fname, $ext, $type) = @_;
>
> return if message_rejected(); # Avoid unnecessary work
>
> if (filter_bad_filename($entity)) {
> md_graphdefang_log('bad_filename', $fname, $type);
> action_notify_administrator("A MULTIPART attachment of type
> $type, named $fname was dropped.\n");
> return action_quarantine($entity,"An attachment of type $type,
> named $fname was removed from this document as
> it\nconstituted a network
> security hazard. If you require this document, \nplease contact the
> sender and arrange an alternate means of receiving it.\n");
> }
> ...
>
> return action_accept();
> }
> ===================================================
Your filter uses "return action_quarantine()", which isn't right - you need
to accept, bounce or discard the message instead, e.g.:
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator("A MULTIPART attachment of type $type,
name
d $fname was dropped.\n");
action_quarantine_entire_message("An attachment of type $type, named
$f
name was removed from this document as it\nconstituted a security hazard. If
y
ou require this document, please contact\nIT Support to arrange for it to be
re
leased.\n");
return action_discard();
}
> 2) Will changing the conditional
> to
> if (filter_bad_filename($entity) and ($type ne "message/rfc822"))
> prevent a similar event from recurring?
Probably.
Paul.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.1/311 - Release Date: 13/04/2006
More information about the MIMEDefang
mailing list