[Esd-l] Weird behavior on some attachments
Mark Wendt
wendt at kingcrab.nrl.navy.mil
Thu Dec 20 07:27:01 PST 2001
Eric,
I should have included the log traces in the last email, so here
goes. The first one is being sent from Outlook 2000:
Sanitizing executable UUE attachments from "Doug" <xxx at xxx.xxx.xxx.xxx>
to xxx msgid=<003d01c188c5$b2ee96c0$1c20fa84 at xxx.xxx.xxx.xxx>
Mangling executable filename "pass32.exe".
From xxx at xxx.xxx.xxx.xxx Wed Dec 19 14:43:59 2001
Subject:
Folder: /var/mail/xxx
This gave me an attachment named pass32.887739DEFANGED-exe
This one is sent from Outlook 2000:
Sanitizing MIME attachment headers in "test" from "Test"
<xxxx at xxx.xxx.xxx.xxx>
to wendt msgid=<MJEDKDCLLPLNLIPHAMPKKEADCAAA.xxx at xxx.xxx.xxx.xxx>
Checking "cfwindem.exe" for stripping.
Stripped executable "cfwindem.exe".
From xxx at xxx.xxx.xxx.xxx Wed Dec 19 15:03:08 2001
Subject: test
Folder: /var/mail/xxx
This resulted in what looked like a stripped executable, but the
MIME encoded attachment ended up being the body of the email, along with
the two line message originally sent as the body of the email.
The last is the same executable sent from Eudora:
Sanitizing MIME attachment headers from xxx <xxx at xxx.xxx.xxx.xxx> to
xxx msgid=<5.1.0.14.2.20011220102212.00ad6888 at xxx.xxx.xxx.xxx>
Checking "cfwindem.exe" for stripping.
Stripped executable "cfwindem.exe".
From xxx at xxx.xxx.xxx.xxx Thu Dec 20 10:22:42 2001
Subject:
Folder: /var/mail/xxx
This time the executable was stripped clean, and the body of the
email was intact, with a message included saying the message was stripped.
Mark
At 09:47 AM 12/20/2001 -0500, you wrote:
>Hello,
>
> > >I just want to strip the attachment completely off, leaving the body
> of the
> > >email intact.
> >
> > I am ready to be flamed for this, but if memory serves me, John has
> > implemented stripping only as a by-product of his local.procmail handling
> > code, and only in the most recent version of the sanitizer (which I'm not
> > using yet, naughty me...)
>
>Right.. the latest version does support stripping attachments. It actually
>works exactly like the system for poisoning an attachment. As long as the
>extension is listed in the MANGLE_EXTENTIONS list, you can add that extension
>to the file you defined with STRIPPED_EXECUTABLES and it will strip the file
>out of the email.
>
>For example, we strip 'exe' extensions at our location. So, I verified that
>'exe' was one of the extensions being defanged (meaning it was in the
>MANGLE_EXTENSIONS). I then edited my /etc/procmailrc, and added the line:
>
>STRIPPED_EXECUTABLES=/etc/procmail/stripped
>
>and then I just added *.exe to /etc/procmail/stripped.
>
>That will strip all exe extensions. Since you wish strip all attachments,
>just
>go right down the MANGLE_EXTENSIONS list and add em all to the stripped file:
>
>*.exe
>*.com
>*.cmd
>*.bar
>*.pif
>*.sc[rt]
>
>etc etc.
>
>Good luck!
> -Eric
>
>--
>Eric Andreychek
>Residential Warranty Corporation
>(717) 561-4480 x2245
>_______________________________________________
>Esd-l mailing list
>Esd-l at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esd-l
More information about the esd-l
mailing list