[Mimedefang] Oblivion.rar

Paul Whittney pwhittney at net.arrivetech.com
Wed Apr 12 14:25:34 EDT 2006


This is the number one reason why we don't automatically uncompress
zip and rar's. It's expensive (on my box, anyway, doesn't have the
processing power it needs), and in light of these unzip/rar timebombs
could actually destroy the email server (must try it at some point).

However, the best way I've found to combat these, is to rely on
the uuencoding of the file only.

Currently, I've only got the zip parts operational, but seems I'll
be looking at others now.

Inside filter:
..
if (lc($ext) =~ /zip/) {
	md_graphdefang_log('ziptest', $path);
	my $lines = $entity->body();
	my $name = "";
	if (scalar( @$lines )) {
		# It has lines....
		my $line = @$lines[0];
		if ( ($line =~ m/^UEsDBAoAAAAAA.{6}zy5egAlgAAAJYAA/) ||
			($line =~ m/^UEsDBAoAAAAAA.{6}KJx\+eAFgAAABYAA/) ) {
			$found = 1;
			$name = "Novarg";
		} #....
		# more of the same... depends what you want to block..
		# ...
		else {
			# throw the current line into the logs, for scanning later..
			md_syslog('notice',"ziptest,$line\n");
		}
	}

now, you can react with 
	if ($found) {
		# set up messages, and alterations, or...
		action_quarantine($entity, 
			"A known virus signature was detected, and removed\n");
		return action_discard();
	}

That might be expensive to grab the entity into memory, could put file size 
limits on it #shrugs#
Keep an eye on the logs:
Apr 12 13:12:25 mx1 mimedefang.pl[132]: ...
	.. ziptest,UEsDBAoAAAAAADtmhDQAAAAAAAAAAAAAAAAZAAAATkUg ... 
		(removed parts, as it then lists a filename)

I'm sure you could write a DB system to keep track of the amount of hits
and I think that pulling the zip/rar standard apart at this level
could help find filenames, rather than needing diskspace to uncompress
possibly untrusted files.

-Paul

On Wed, Apr 12, 2006 at 05:49:39PM +0100, Paul Murphy wrote:
> _______________________________________________
> NOTE: If there is a disclaimer or other legal boilerplate in the above
> message, it is NULL AND VOID.  You may ignore it.
> 
> Visit http://www.mimedefang.org and http://www.roaringpenguin.com
> MIMEDefang mailing list MIMEDefang at lists.roaringpenguin.com
> http://lists.roaringpenguin.com/mailman/listinfo/mimedefang

-- 
Paul Whittney                                  ArriveTech, Inc.
Network Specialist / Systems Engineer         / |3823 West 12th Street,
                                             /--|Erie, PA, 16505, USA
PWhittney [at] arrivetech.com (Main)        /   |www.arrivetech.com 
PWhittney [at] net.arrivetech.com (Aux)    /    |Tel: 814 868 3306



More information about the MIMEDefang mailing list