[Esa-l] Just received this new mutation overnight.

John D. Hardin jhardin at wolfenet.com
Tue Feb 20 20:08:33 PST 2001 

On Tue, 20 Feb 2001, Brett Glass wrote:

> Ironically, Chris's message revealed a problem in the sanitizer.
> The message in which he QUOTED the advisory from the sanitizer was
> quarantined when it reached one of our systems.

This example illustrates a weakness in the design of the sanitizer.

The quarantining occurs in procmail rules that process the message
after the perl script. They key off "X-Content-Security:" headers,
which will be in the RFC-822 header or the MIME attachment headers if
the perl script has detected something problematic (or if you're using
a local-rules script).

Unfortunately, the procmail rules are not smart enough to tell whether
the X-Content-Security: text is actually in the headers, or is (as in
this case) in a body part and should be ignored.

I was thinking about this over the weekend. I suppose that's what
prompted Chris to forward that to the list (regardless of what he
*claims* the reason was)... :)

> Certainly the sanitizer should be able to tell the difference
> between a "real" MIME header and one that appears in quoted text?

It can, and did. It was confused by the X-Content-Security: headers
in the forwarded message.

> >> --==i3.9.0oisdboibsd((kncd
> >> Content-Type: TEXT/PLAIN;
> >> X-Content-Security: NOTIFY
> >> X-Content-Security: REPORT: Trapped poisoned executable "YOU_are_FAT!.TXT.pif"
> >> X-Content-Security: QUARANTINE
> >> Content-Description: SECURITY WARNING

I can't think of an elegant way around this, apart from keying off
something like:

  X-Content-Security: [mail.impsec.org] QUARANTINE

instead of a plain X-Content-Security: header, which is a pretty ugly
hack IMHO.

The only truly reliable solution, apart from MIME-awareness in
procmail, is to do the quarantine and notification in the perl script.
I'm not sure whether I want to do that just yet. It "feels" to me like
that should be handled by procmail.

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Failure to plan ahead on someone else's part does not constitute an
  emergency on my part.
                                  - David W. Barts in a.s.r
                                    <davidb at ce.washington.edu>
-----------------------------------------------------------------------
   102 days until Mir deorbits

More information about the esd-l mailing list