[Esd-l] security_notify_sender
Jason Noble
sysadmin at polezero.com
Wed Feb 6 04:56:01 PST 2002
On Tue, 5 Feb 2002, Jason Noble wrote:
> On 2002.02.04 20:09 John D. Hardin wrote:
> > On Mon, 4 Feb 2002, Jason Noble wrote:
> > > > From root Mon Feb 4 10:19:20 2002
> > > Subject: test
> > > Folder: >
> /var/spool/mail/quarantine > > > 71868
> > > procmail: Extraneous locallockfile ignored
> > > procmail: Extraneous locallockfile ignored
> > > procmail: Extraneous locallockfile ignored
> > > procmail: Lock failure on ".lock"
> > > That stuff is unexpected. What are the permissions on the quarantine
> > file?
>
> -rw--w--w- 1 root mail 79773941 Feb 5 08:52
> /home/mail/quarantine
>
> > > Try turning on verbose logging with "DEBUG_VERBOSE=Y" and see what
> > gets logged.
> >
> Ok... (attached log)
>
> > --
> > John Hardin KA7OHZ ICQ#15735746 http://www.impsec.org/~jhardin/
> > jhardin at impsec.org pgpk -a jhardin at wolfenet.com
> > 768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
> > 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
> > -----------------------------------------------------------------------
> > In 1998 more than three times as many people in the US were killed
> > by incompetent physicians than were killed by handguns, yet the
> > President of the A.M.A. is adopting "gun safety" as his platform.
> > -----------------------------------------------------------------------
> > 1002 days until the Presidential Election
> > _______________________________________________
> > Esd-l mailing list
> > Esd-l at spconnect.com
> > http://www.spconnect.com/mailman/listinfo/esd-l
> >
> [demime 0.98e removed an attachment of type application/octet-stream]
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
>
procmail: Extraneous locallockfile ignored
procmail: Extraneous locallockfile ignored
procmail: Extraneous locallockfile ignored
procmail: Lock failure on ".lock"
procmail: [1171] Tue Feb 5 08:52:13 2002
procmail: Match on ! "[^ ]"
procmail: Score: 0 0
"\<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|layer|link)"
procmail: Score: 0 0 "=(3d)?[
]*["'](&{|([a-z]+script|mocha):)"
procmail: Match on ! "[^ ]"
procmail: Assigning
"MANGLE_EXTENSIONS=html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|pps|wm[szd]|vcf|nws|\{[-0-9a-f]+\}"
procmail: No match on "^begin[ ]+([0-9]+)?[ ]+[^ ]+"
procmail: Match on ! "^X-Content-Security: \[mail.polezero.com\]
(QUARANTINE|DISCARD)"
procmail: Score: 2147483647 2147483647 "^Content-Type[
]*:.*(application|multipart)/[^ ]*;"
procmail: Assigning "LOG=Sanitizing MIME attachment headers in "testing"
from
Jason Noble <nobleja at fuse.net> to nobleja
msgid=<20020205135200.PGNW957.mta01.fuse.net at there>
"
Sanitizing MIME attachment headers in "testing" from Jason Noble
<nobleja at fuse.net> to nobleja
msgid=<20020205135200.PGNW957.mta01.fuse.net at there>
procmail: Assigning "LOGFILE=/home/nobleja/procmail.log"
procmail: Opening "/home/nobleja/procmail.log"
procmail: Assigning "POISONED_SCORE=25"
procmail: Executing " perl -p -e ' #\
$pastmsghdr = 1 if /^\s*$/; #\
$XCS = "X-Content-Security: [" . $ENV{"HOST"} . "]" unless
$XCS; #\
if ($pastmsghdr) { #\
if (!$mimebdry && $mimebdrs[0]) { #\
warn " Found no MIME boundary.\n" if $ENV{"DEBUG"}; #\
$mimebdry = pop @mimebdrs; #\
$newbdry = pop @newbdrs; #\
$rawbdry = pop @rawbdrs; #\
$bdrytoolong = pop @bdrstoolong; #\
$gotbdry = pop @gotbdrs; #\
$nullbdry = pop @nullbdrs; #\
} #\
$_ = "" if $strip_attachment && !$gotbdry; #\
} else { #\
if (($type,$format,$junk) =
/^Content-Type\s*:\s.*(application|multipart|message)\/(\S+)(;.*)?$/i)
{ #\
$wanthdr = 1; #\
print "X-Security: MIME headers sanitized on ", $ENV{"HOST"},
"\n"; #\
print "\tSee
http://www.impsec.org/email-tools/sanitizer-intro.html\n"; #\
print "\tfor details. \$Revision: 1.133 $x\$Date: 2002-01-05
17:09:21-08 $x\n"; #\
print "X-Security: The postmaster has not enabled quarantine of
poisoned messages.\n" unless $ENV{"SECURITY_QUARANTINE"}; #\
if ($type =~ /application/i) { #\
$inmimehdr = 1; #\
} elsif ($type =~ /message/i && $format =~ /rfc822/i) { #\
$rcrsmsg = $inmimehdr = 1; #\
} #\
} elsif (/^\S/) { #\
$wanthdr = 0; #\
} #\
if ($wanthdr) { #\
if (($mimebdry) = /boundary\s*=\s*(("")|("[^"]+")|([^"]\S+))/i)
{ #\
$mimebdry =~ s/(^"|"$)//g; #\
$rawbdry = $mimebdry; #\
$gotbdry = 1; #\
$wanthdr = 0; #\
$bdrytoolong = $nullbdry = 0; #\
if ($bdrytoolong = (length($mimebdry) > 80)) { #\
warn " Truncating long MIME body-part boundary
string.\n"; #\
$newbdry = substr($mimebdry,0,64); #\
$mimebdry = quotemeta($mimebdry); #\
s/${mimebdry}/${newbdry}/; #\
$rawbdry =~ s/${mimebdry}/${newbdry}/; #\
} elsif ($nullbdry = (length($mimebdry) < 1)) { #\
warn " Replacing null MIME body-part boundary
string.\n"; #\
$newbdry =
"==NULL_MIME_BOUNDARY_ATTACK_SANITIZED-${$}=="; #\
s/boundary\s*=\s*""/boundary = "${newbdry}"/i; #\
} else { #\
$mimebdry = quotemeta($mimebdry); #\
} #\
} #\
} #\
} #\
if ($mimebdry || ($gotbdry && $nullbdry) || $inmimehdr) { #\
if (/^\s*$/) { #\
$inmimehdr = 0; #\
if ($rcrsmsg) { #\
push @mimebdrs, $mimebdry; #\
push @newbdrs, $newbdry; #\
push @rawbdrs, $rawbdry; #\
push @bdrstoolong, $bdrytoolong; #\
push @gotbdrs, $gotbdry; #\
push @nullbdrs, $nullbdry; #\
$mimebdry = $newbdry = ""; #\
$rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0; #\
} #\
} elsif (/^--${mimebdry}(--)?$/) { #\
$mend = $1; #\
s/${mimebdry}/${newbdry}/ if $bdrytoolong; #\
s/^--/--${newbdry}${mend}/ if $nullbdry; #\
if ($mend) { #\
if ($mimebdrs[0]) { #\
$mimebdry = pop @mimebdrs; #\
$newbdry = pop @newbdrs; #\
$rawbdry = pop @rawbdrs; #\
$bdrytoolong = pop @bdrstoolong; #\
$gotbdry = pop @gotbdrs; #\
$nullbdry = pop @nullbdrs; #\
} #\
} else { #\
$inmimehdr = 1; #\
$rcrsmsg = $strip_attachment = $check_attachment = 0; #\
} #\
} elsif (!$inmimehdr && $strip_attachment) { #\
$_ = ""; #\
} elsif (!$inmimehdr && $check_attachment) { #\
$check_attachment = 0; #\
if ($destf = `mktemp /tmp/mailchk.XXXXXX`) { #\
chomp($destf); #\
if (open(DECODE,"|mimencode -u -o $destf")) { #\
do { #\
print $_; #\
print DECODE $_; #\
$_ = <>; #\
$lastline = $_; #\
} until (/^\s*$/ || /^--/); #\
close(DECODE); #\
$msapp = $score = 0; #\
@scores = (); #\
$why = ""; #\
# Run virus-checker here. #\
open(ATTCH,"< $destf"); #\
while (<ATTCH>) { #\
if (/\000(VirusProtection)/i) { #\
$why .= " 99 for $1\n"; #\
$score+= 99; #\
} #\
if (/\000(select\s[^\000]*shell\s*\(\s*["\047])/i) { #\
$why .= " 99 for $1\n"; #\
$score+= 99; #\
} #\
if (/\000(regedit)/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(Shell\s*\()/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(Save(Normal|Properties)Prompt)/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(Outlook\.Application)\000/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(CountOfLines)/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(AddFromString)/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(StartupPath)/i) { #\
$why .= " 9 for $1\n"; #\
$score+= 9; #\
} #\
if (/\000(CreateObject)/i) { #\
$why .= " 4 for $1\n"; #\
$score+= 4; #\
} #\
if
(/(\000|\004)([a-z0-9_]\.)*(Autoexec|Workbook_(Open|BeforeClose|Window(De)?activate)|Document_(Open|New|Close))/i)
{ #\
$why .= " 4 for $&\n"; #\
$score+= 4; #\
} #\
if
(/(\000|\004)(Logon|AddressLists|AddressEntries|Recipients|Attachments|Logoff)/i)
{ #\
$why .= " 4 for $&\n"; #\
$score+= 4; #\
} #\
if (/(\000|\004)(Subject|Body)/i) { #\
$why .= " 4 for $&\n" unless $scores[0]; #\
$scores[0] = 4; #\
} #\
if (/\000(Options[^\w\s])/i) { #\
$why .= " 2 for $1\n"; #\
$score+= 2; #\
} #\
if (/\000(CodeModule)/i) { #\
$why .= " 2 for $1\n"; #\
$score+= 2; #\
} #\
if (/\000(([a-z]+\.)?Application)\000/i) { #\
$why .= " 2 for $1\n"; #\
$score+= 2; #\
} #\
if (/(\000|\004)stdole/i) { #\
$why .= " 2 for $&\n"; #\
$score+= 2; #\
} #\
if (/(\000|\004)NormalTemplate/i) { #\
$why .= " 2 for $&\n"; #\
$score+= 2; #\
} #\
if (/\000(ID="{[-0-9A-F]+(}")?)/i) { #\
$why .= " 4 for $1\n"; #\
$score+= 4; #\
} #\
if (/\000(ThisWorkbook)\000/i) { #\
$why .= " 1 for $1\n"; #\
$score+= 1; #\
} #\
if (/\000(PrivateProfileString)/i) { #\
$why .= " 1 for $1\n"; #\
$score+= 1; #\
} #\
if
(/(\000|\004)(ActiveDocument|ThisDocument|ThisWorkbook)/i)
{ #\
$why .= " 1 for $&\n"; #\
$score+= 1; #\
} #\
if
(/\000(\[?HKEY_(CLASSES_ROOT|CURRENT_USER|LOCAL_MACHINE))/)
{ #\
$why .= " 1 for $1\n"; #\
$score+= 1; #\
} #\
$msapp+= 1 if /\000(Microsoft (Word Document|Excel
Worksheet|Excel|PowerPoint)|MSWordDoc|Word\.Document\.[0-9]+|Excel\.Sheet\.[0-9]+)\000/;
#\
} #\
close(ATTCH); #\
unlink($destf); #\
if ($msapp) { #\
for (@scores) { #\
$score += $_; #\
} #\
if ($histfile = $ENV{"SCORE_HISTORY"}) { #\
if (open(HIST,">>$histfile")) { #\
print HIST "score=$score to=".$ENV{"TO"}."
from=".$ENV{"FROM"}."\n"; #\
close HIST; #\
} #\
} #\
$poison_score = $ENV{"POISONED_SCORE"}; #\
$poison_score = 5 if $poison_score < 5; #\
if ($score > $poison_score && !$ENV{"SCORE_ONLY"}) { #\
warn " POSSIBLE MACRO EXPLOIT: Score=$score\n"; #\
print "\n\n--$rawbdry\n"; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} ||
$ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS REPORT: Trapped poisoned Microsoft
attachment\n"
if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS QUARANTINE\n" if
$ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY WARNING\n\n"; #\
print "SECURITY WARNING!\n"; #\
print "The mail delivery system has detected that the
preceding\n"; #\
print "document attachment appears to contain hazardous
macro
code.\n"; #\
print "Macro Scanner score: $score\n"; #\
if ($ENV{"SCORE_DETAILS"}) { #\
print "Macro Scanner score details:\n"; #\
$why =~ s/[\000-\011\013-\037]//g; #\
print $why; #\
} #\
print "Contact your system administrator
immediately!\n\n"; #\
} #\
} else { #\
$score = 0; #\
} #\
if ($lastline =~ /^--${mimebdry}(--)?$/) { #\
$inmimehdr = 1; #\
$check_attachment = 0; #\
$lastline =~ s/${mimebdry}/${newbdry}/ if
$bdrytoolong; #\
} #\
print $lastline; #\
} else { #\
warn "*** Decoding: $! - mimencode?\n"; #\
} #\
} else { #\
warn "*** Cannot extract - mktemp?\n"; #\
} #\
} #\
if ($inmimehdr || $hdrcnt) { #\
if (/^(\s+\S|(file)?name)/) { #\
s/^\s*/ /; #\
s/^\s*// if $hdrtxt =~ /"[^"]*[^;]$/; #\
s/\s*\n$//; #\
$hdrtxt .= $_; #\
$_ = ""; #\
} else { #\
if ($hdrtxt) { #\
$mangle_mime_type = 0; #\
$hdrtxt =~ s/([^\\])\\"/\1\\/g; #\
if ($hdrtxt =~ /`\s*`/) { #\
warn " Fixing double backquotes.\n"; #\
$hdrtxt =~ s/`\s*`/\\"/g; #\
} #\
if ($hdrtxt =~ /^[-\w]+\s*:.*name\s*=\s*"[^"]+$/i) { #\
warn " Fixing missing close quote on filename.\n"; #\
$hdrtxt .= "\""; #\
} #\
while (($hdr, $val) = $hdrtxt =~
/^([-\w]+)\s*:.*\s(\S+)\s*=\s*""/i) { #\
warn " Null $val in $hdr header.\n"; #\
$sval = quotemeta($val); #\
$hdrtxt =~ s/\s$sval\s*=\s*""/ X-$val="{null value
sanitized}"/; #\
} #\
unless ($ENV{"SECURITY_DISABLE_OUTLOOK_HACKS"}) { #\
while (($hdr,$filen) = $hdrtxt =~
/^(Content-Description)\s*:\s*text\s+from\s+file\s+\047([^\047]+)\047/i)
{ #\
warn " Fixing file name \"$filen\" in ${hdr}:\n"; #\
$newfilen = $filen; $filen = quotemeta($filen); #\
$hdrtxt =~ s/\s+\047${filen}\047/,
filename="${newfilen}"/ig; #\
} #\
} #\
while (($junk,$filen) = $hdrtxt =~
/^Content-[-\w]+\s*:[^"]*("[^"]*"[^"]+)*name\s*=\s*([^"\s][^;]+)/i) { #\
warn " Fixing unquoted filename \"$filen\".\n"; #\
$newfilen = $filen; $filen = quotemeta($filen); #\
$newfilen =~ s/\"/\\"/g; #\
if ($newfilen =~ /\([^)]*\)/) { #\
warn " Removing embedded RFC822 comments.\n"; #\
$newfilen =~ s/\([^)]*\)//g; #\
} #\
$hdrtxt =~ s/name\s*=\s*${filen}/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~
/^Content-[-\w]+\s*:.*name\s*=\s*"(=\?[^"]+=2E[^"]+\?=)"/i)
{ #\
warn " Fixing encoded periods in \"$filen\".\n"; #\
$newfilen = $filen; $filen = quotemeta($filen); #\
$newfilen =~ s/=2E/./ig; #\
$hdrtxt =~ s/name\s*=\s*"${filen}"/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+)\s+"/i)
{ #\
warn " Fixing trailing spaces in filename.\n"; #\
$newfilen = $filen; $filen = quotemeta($filen); #\
$hdrtxt =~
s/name\s*=\s*"${filen}\s+"/name="$newfilen"/ig; #\
} #\
while (($filen) = $hdrtxt =~
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{120})[^"]{16,}"/i)
{ #\
warn " Truncating long filename \"$filen...\".\n"; #\
$filen =~ s/\s+$//; #\
$filen .= "..."; #\
$filen .= "?=" if $filen =~ /^=\?/; #\
$hdrtxt =~ s/name\s*=\s*"[^"]{128,}"/name="$filen"/i; #\
$mangle_mime_type = 1; #\
} #\
if (($mtype) = $hdrtxt =~
/^Content-Type:\s+([a-z0-9-_]+\/[a-z0-9-_]+)/i)
{ #\
unless ($mtype =~ /^(multipart|text|message)\//i) { #\
unless ($hdrtxt =~ /name\s*=\s*"/i) { #\
$dfrhdr .= "$hdrtxt\n"; $hdrtxt = ""; #\
} #\
} #\
} #\
if ($hdrtxt =~ /^Content-Transfer-Encoding\s*:/i) { #\
$dfrhdr .= "$hdrtxt\n"; $hdrtxt = ""; #\
} #\
if (($filen) = $hdrtxt =~
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.(do[ct]|xl[swt]|p[po]t|rtf|pps)(\?=)?)"/i)
{ #\
$stripped = 0; #\
if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"}))
{ #\
if (open(STRIPPED,$specf)) { #\
warn "Checking \"$filen\" for stripping.\n"; #\
while (chomp($stp_spec = <STRIPPED>)) { #\
$stp_spec =~ s/^\s+//g; #\
$stp_spec =~ s/\s.*$//g; #\
next unless $stp_spec; #\
$stp_spec =~ s/([^\\])\./$1\\./g; #\
$stp_spec =~ s/\*/.*/g; #\
$stp_spec =~ s/([^\(])\?/$1./g; #\
$stp_spec .= "(\\?=)?\$" unless $stp_spec =~
/\$/; #\
warn "Checking against \"$stp_spec\"\n" if
$ENV{"DEBUG"}; #\
if ($filen =~ /^${stp_spec}/i) { #\
warn " Stripped executable \"$filen\".\n"; #\
$stripped = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS REPORT: Microsoft attachment
\"$filen\"
stripped\n"; #\
print "Content-Description: SECURITY
NOTICE\n\n"; #\
print $ENV{"STRIPPED_WARNING"}; #\
print "Filename: $filen\n\n"; #\
print "More headers follow:\n\n" unless
$pastmsghdr; #\
$_ = $dfrhdr = $hdrtxt = ""; #\
$strip_attachment = 1; #\
$inmimehdr = 0; #\
last; #\
} #\
} #\
close(STRIPPED); #\
} else { #\
warn " Unable to open stripped-executables file
\"$specf\".\n"; #\
} #\
} #\
if (!$poisoned && !$stripped && ($specf =
$ENV{"POISONED_EXECUTABLES"})) { #\
if (open(POISONED,$specf)) { #\
warn "Checking \"$filen\" for poisoning.\n"; #\
while (chomp($psn_spec = <POISONED>)) { #\
$psn_spec =~ s/^\s+//g; #\
$psn_spec =~ s/\s.*$//g; #\
next unless $psn_spec; #\
$psn_spec =~ s/([^\\])\./$1\\./g; #\
$psn_spec =~ s/\*/.*/g; #\
$psn_spec =~ s/([^\(])\?/$1./g; #\
$psn_spec .= "(\\?=)?\$" unless $psn_spec =~
/\$/; #\
warn "Checking against \"$psn_spec\"\n" if
$ENV{"DEBUG"}; #\
if ($filen =~ /^${psn_spec}/i) { #\
warn " Trapped poisoned document
\"$filen\".\n"; #\
$poisoned = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"}
||
$ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS REPORT: Trapped poisoned Microsoft
attachment \"$filen\"\n" if $ENV{"SECURITY_NOTIFY"} ||
$ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS QUARANTINE\n" if
$ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY
WARNING\n\n"; #\
print $ENV{"POISONED_WARNING"}; #\
print "Macro Scanner score: 0 (poisoned by name,
scan
skipped)\n\n"; #\
last; #\
} #\
} #\
close(POISONED); #\
} else { #\
warn " Unable to open poisoned-executables file
\"$specf\".\n"; #\
} #\
} #\
$check_attachment = 1 unless
$ENV{"DISABLE_MACRO_CHECK"}; #\
} #\
if (($bndry) = $hdrtxt =~
/^Content-Type:\s+multipart\/.*\s+boundary\s*=\s*"?([^"]+)"?/i)
{ #\
push @mimebdrs, $mimebdry; #\
push @newbdrs, $newbdry; #\
push @rawbdrs, $rawbdry; #\
push @bdrstoolong, $bdrytoolong; #\
push @gotbdrs, $gotbdry; #\
push @nullbdrs, $nullbdry; #\
$mimebdry = $newbdry = $bndry; #\
$mimebdry = quotemeta($mimebdry); #\
$rcrsmsg = $bdrytoolong = $gotbdry = 0; #\
} #\
if ($hdrtxt =~ /^Content-Type:\s+message\/rfc822/i) { #\
if (!$inmimehdr) { #\
push @mimebdrs, $mimebdry; #\
push @newbdrs, $newbdry; #\
push @rawbdrs, $rawbdry; #\
push @bdrstoolong, $bdrytoolong; #\
push @gotbdrs, $gotbdry; #\
push @nullbdrs, $nullbdry; #\
$mimebdry = $newbdry = ""; #\
$rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry =
0; #\
} else { #\
$rcrsmsg = 1; #\
} #\
} #\
if ($ENV{"SECURITY_STRIP_MSTNEF"} && $hdrtxt =~
/^Content-Type:\s+application\/MS-TNEF/i) { #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS REPORT: Stripped MS-TNEF attachment\n"; #\
print "Content-Description: SECURITY NOTICE\n\n"; #\
print $ENV{"TNEF_WARNING"}; #\
$_ = $dfrhdr = $hdrtxt = ""; #\
$strip_attachment = 1; #\
$inmimehdr = 0; #\
} #\
while (($filen) = $hdrtxt =~
/^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+\.($ENV{"MANGLE_EXTENSIONS"})(\?=)?)"/io)
{ #\
$stripped = 0; #\
if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"}))
{ #\
if (open(STRIPPED,$specf)) { #\
warn "Checking \"$filen\" for stripping.\n"; #\
while (chomp($stp_spec = <STRIPPED>)) { #\
$stp_spec =~ s/^\s+//g; #\
$stp_spec =~ s/\s.*$//g; #\
next unless $stp_spec; #\
$stp_spec =~ s/([^\\])\./$1\\./g; #\
$stp_spec =~ s/\*/.*/g; #\
$stp_spec =~ s/([^\(])\?/$1./g; #\
$stp_spec .= "(\\?=)?\$" unless $stp_spec =~
/\$/; #\
warn "Checking against \"$stp_spec\"\n" if
$ENV{"DEBUG"}; #\
if ($filen =~ /^${stp_spec}/i) { #\
warn " Stripped executable \"$filen\".\n"; #\
$stripped = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS REPORT: Attachment \"$filen\"
stripped\n"; #\
print "Content-Description: SECURITY
NOTICE\n\n"; #\
print $ENV{"STRIPPED_WARNING"}; #\
print "Filename: $filen\n\n"; #\
print "More headers follow:\n\n" unless
$pastmsghdr; #\
$_ = $dfrhdr = $hdrtxt = ""; #\
$strip_attachment = 1; #\
$inmimehdr = 0; #\
last; #\
} #\
} #\
close(STRIPPED); #\
} else { #\
warn " Unable to open stripped-executables file
\"$specf\".\n"; #\
} #\
} #\
if (!$poisoned && !$stripped && ($specf =
$ENV{"POISONED_EXECUTABLES"})) { #\
if (open(POISONED,$specf)) { #\
warn "Checking \"$filen\" for poisoning.\n"; #\
while (chomp($psn_spec = <POISONED>)) { #\
$psn_spec =~ s/^\s+//g; #\
$psn_spec =~ s/\s.*$//g; #\
next unless $psn_spec; #\
$psn_spec =~ s/([^\\])\./$1\\./g; #\
$psn_spec =~ s/\*/.*/g; #\
$psn_spec =~ s/([^\(])\?/$1./g; #\
$psn_spec .= "(\\?=)?\$" unless $psn_spec =~
/\$/; #\
warn "Checking against \"$psn_spec\"\n" if
$ENV{"DEBUG"}; #\
if ($filen =~ /^${psn_spec}/i) { #\
warn " Trapped poisoned executable
\"$filen\".\n"; #\
$poisoned = 1; #\
print "Content-Type: TEXT/PLAIN;\n"; #\
print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"}
||
$ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS REPORT: Trapped poisoned executable
\"$filen\"\n" if $ENV{"SECURITY_NOTIFY"} ||
$ENV{"SECURITY_NOTIFY_VERBOSE"}; #\
print "$XCS QUARANTINE\n" if
$ENV{"SECURITY_QUARANTINE"}; #\
print "Content-Description: SECURITY
WARNING\n\n"; #\
print $ENV{"POISONED_WARNING"}; #\
last; #\
} #\
} #\
close(POISONED); #\
} else { #\
warn " Unable to open poisoned-executables file
\"$specf\".\n"; #\
} #\
} #\
unless ($stripped) { #\
warn " Mangling executable filename \"$filen\".\n"; #\
$newfilen = $filen; $filen = quotemeta($filen); #\
$newfilen =~
s/\.([-a-z0-9{}]+(\?=)?)$/.${$}DEFANGED-$1/i; #\
$hdrtxt =~
s/name\s*=\s*"?${filen}"?/name="$newfilen"/ig; #\
$mangle_mime_type = 1; #\
} #\
} #\
if ($mangle_mime_type && $hdrtxt =~ /^Content-Type:\s/i)
{ #\
($oct) = $hdrtxt =~ /^Content-Type:.*\s(\S+\/\S+;?)/i; #\
unless ($oct =~ /application\/octet-stream;/i) { #\
print "$XCS original Content-Type was $oct\n"; #\
$oct = quotemeta($oct); #\
$hdrtxt =~ s/${oct}/application\/octet-stream;/i; #\
} #\
} #\
if ($mangle_mime_type && $hdrtxt =~ /\sx-mac-\S+/i) { #\
$eudora = ""; #\
while (($eh) = $hdrtxt =~ /(\sx-mac-\S+\s*=\s*\S+;?)/i)
{ #\
$eudora .= $eh; #\
$eh = quotemeta($eh); #\
$hdrtxt =~ s/${eh}//i; #\
} #\
print "$XCS removed$eudora\n"; #\
} #\
if (($junk) = $hdrtxt =~
/^Content-Type\s*:\s+(.{128}).{100,}$/i)
{ #\
warn " Truncating long Content-Type header.\n"; #\
$junk =~ s/"/\\"/g; #\
$hdrtxt = "Content-Type: X-BOGUS\/X-BOGUS;
originally=\"$junk...\""; #\
} elsif (($junk) = $hdrtxt =~
/^Content-Description\s*:\s+(.{128}).{100,}$/i)
{ #\
warn " Truncating long Content-Description
header.\n"; #\
$hdrtxt = "Content-Description: $junk..."; #\
} elsif (($junk) = $hdrtxt =~
/^Content-[-\w]+\s*:\s+(.{128}).{100,}$/i)
{ #\
warn " Truncating long MIME header.\n"; #\
$junk =~ s/"/\\"/g; #\
$hdrtxt =~ s/^Content-([-\w]+)\s*:.*$/X-Overflow:
Content-$1;
originally="$junk..."/i; #\
} #\
$hdrtxt =~ s/\\/\\"/g; #\
print "$hdrtxt\n" if $hdrtxt; #\
$hdrtxt = ""; #\
if (!$inmimehdr) { #\
if ($dfrhdr) { print $dfrhdr; $dfrhdr = ""; } #\
$poisoned = 0; #\
} #\
} #\
if (/^\S/) { #\
s/\s*\n$//; #\
$hdrtxt = $_; #\
$_ = ""; #\
$hdrcnt++; #\
} else { #\
$hdrcnt = 0; #\
$hdrtxt = ""; #\
} #\
} #\
} #\
} #\
' 2>> $LOGFILE"
Checking "testing.exe" for poisoning.
Trapped poisoned executable "testing.exe".
Mangling executable filename "testing.exe".
Mangling executable filename "testing.exe".
procmail: Match on "^X-Content-Security: \[mail.polezero.com\]
(NOTIFY|QUARANTINE|DISCARD)"
procmail: Score: 2147483647 2147483647 "[^ ]"
procmail: Assigning "STATUS=STATUS: Message delivered to nobleja
msgid=<20020205135200.PGNW957.mta01.fuse.net at there>"
procmail: Assigning "STATUS_PUBLIC=STATUS: Message delivered."
procmail: Assigning "REPORT=REPORT: No details available."
procmail: Assigning "SCORE=REPORT: Not a document, or already poisoned by
filename. Not scanned for macros."
procmail: Match on "[^ ]"
procmail: Assigning "STATUS=STATUS: Message quarantined in
/var/spool/mail/quarantine, not delivered to recipient."
procmail: Assigning "STATUS_PUBLIC=STATUS: Message quarantined, not
delivered
to recipient."
procmail: No match on "^X-Content-Security: \[mail.polezero.com\] DISCARD"
procmail: No match on "^\/Macro Scanner score: [1-9][0-9]+"
procmail: Match on "^X-Content-Security: \[mail.polezero.com\] REPORT:"
procmail: Assigning "REPORT="
procmail: Executing " grep "^X-Content-Security: \[${HOST}\] REPORT: " |
sed -e
's/^.* REPORT:/REPORT:/g'"
procmail: Match on ! "^X-Content-Security: \[mail.polezero.com\] NONOTIFY"
procmail: Match on "[^ ]"
procmail: Match on ! "^X-Loop: EMAIL SECURITY WARNING mail.polezero.com
luhs6413dfgkj35321dfjkhg"
procmail: Assigning "LOG=
NOTIFY nobleja
"
NOTIFY nobleja
procmail: Assigning "LASTFOLDER= ( \
echo "To: $SECURITY_NOTIFY";\
echo 'From: "Procmail Security daemon" <postmaster>';\
echo 'Subject: SECURITY WARNING - possible email attack';\
echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \
echo ;\
echo "$REPORT";\
echo $SCORE;\
echo $STATUS;\
echo ;\
echo 'Headers from message:';\
echo ;\
sed -e 's/^/> /' ;\
) | $SENDMAIL -U $SECURITY_NOTIFY"
procmail: No match on "[^ ]"
procmail: Match on "[^ ]"
procmail: No match on ! "(^(Mailing-List:|Precedence:.*(junk|bulk|list)|To:
Multiple recipients of |(((Resent-)?(From|Sender)|X-Envelope-From):|>?From
)([^>]*[^(.%@a-z0-9])?(Post(ma?(st(e?r)?|n)|office)|(send)?Mail(er)?|daemon|m(mdf|ajordomo)|n?uucp|LIST(SERV|proc)|NETSERV|o(wner|ps)|r(e(quest|sponse)|oot)|b(ounce|bs\.smtp)|echo|mirror|s(erv(ices?|er)|mtp(error)?|ystem)|A(dmin(istrator)?|MMGR|utoanswer))(([^).!:a-z0-9][-_a-z0-9]*)?[%@>
][^<)]*(\(.*\).*)?)?$([^>]|$)))"
procmail: Match on "[^ ]"
procmail: No match on "[^ ]"
procmail: Locking "/var/spool/mail/quarantine.lock"
procmail: Assigning "LASTFOLDER=/var/spool/mail/quarantine"
procmail: Opening "/var/spool/mail/quarantine"
procmail: Acquiring kernel-lock
procmail: Executing " ( \
echo "To: $SECURITY_NOTIFY";\
echo 'From: "Procmail Security daemon" <postmaster>';\
echo 'Subject: SECURITY WARNING - possible email attack';\
echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \
echo ;\
echo "$REPORT";\
echo $SCORE;\
echo $STATUS;\
echo ;\
echo 'Headers from message:';\
echo ;\
sed -e 's/^/> /' ;\
) | $SENDMAIL -U $SECURITY_NOTIFY"
procmail: [1171] Tue Feb 5 08:52:14 2002
procmail: Unlocking "/var/spool/mail/quarantine.lock"
procmail: Notified comsat: "nobleja at 79510904:/var/spool/mail/quarantine"
> From root Tue Feb 5 08:52:13 2002
Subject: testing
Folder: /var/spool/mail/quarantine
263037
procmail: Extraneous locallockfile ignored
procmail: Extraneous locallockfile ignored
procmail: Extraneous locallockfile ignored
procmail: Lock failure on ".lock"
procmail: [1185] Tue Feb 5 08:52:14 2002
procmail: Match on ! "[^ ]"
procmail: Score: 0 0
"\<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|layer|link)"
procmail: Score: 0 0 "=(3d)?[
]*["'](&{|([a-z]+script|mocha):)"
procmail: Match on ! "[^ ]"
procmail: Assigning
"MANGLE_EXTENSIONS=html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|cil|pps|wm[szd]|vcf|nws|\{[-0-9a-f]+\}"
procmail: No match on "^begin[ ]+([0-9]+)?[ ]+[^ ]+"
procmail: Match on ! "^X-Content-Security: \[mail.polezero.com\]
(QUARANTINE|DISCARD)"
procmail: Score: 0 0 "^Content-Type[
]*:.*(application|multipart)/[^ ]*;"
procmail: Score: 0 0 "^Content-Type[
]*:.*message/rfc822"
procmail: Score: 0 0 "^Content-Disposition[
]*:.*attachment"
procmail: No match on "^X-Content-Security: \[mail.polezero.com\]
(NOTIFY|QUARANTINE|DISCARD)"
procmail: Assigning "POISONED_EXECUTABLES="
procmail: Assigning "SECURITY_NOTIFY="
procmail: Assigning "SECURITY_NOTIFY_VERBOSE="
procmail: Assigning "SECURITY_NOTIFY_SENDER="
procmail: Assigning "SECURITY_QUARANTINE="
procmail: Assigning "SECRET="
procmail: Assigning
"PATH=/home/nobleja/bin:/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin:/usr/X11R6/bin"
procmail: Locking "/var/spool/mail/nobleja.lock"
procmail: Assigning "LASTFOLDER=/var/spool/mail/nobleja"
procmail: Opening "/var/spool/mail/nobleja"
procmail: Acquiring kernel-lock
procmail: Unlocking "/var/spool/mail/nobleja.lock"
procmail: Notified comsat: "nobleja at 4830:/var/spool/mail/nobleja"
> From nobleja Tue Feb 5 08:52:14 2002
Subject: SECURITY WARNING - possible email attack
Folder: /var/spool/mail/nobleja
1820
More information about the esd-l
mailing list