[Esd-l] Yaha is getting past John's sanitizer
Scott Taylor
scott at dctchambers.com
Tue Jul 16 12:26:01 PDT 2002
At 11:15 AM 16/07/2002, you wrote:
>At 12:02 PM 7/16/2002, Scott Taylor wrote:
>
> >What are you seeing?
>
>Copies of the worm that don't trigger John's santizer are making
>it in as attachments. Some of this is because the extensions
>are unusual -- we're seeing extensions like ".doc" or ".mpg".
Oops, clumsy me for sending this to you personally. (it's the only list, I
subscribe to anymore, that doesn't fix the header)
I can see how .doc might get through if it's not on your poison list and it
won't find any macros.
So far, I don't seem to have this trouble, we'll need to know a lot more
about your setup if we are going to trace it down.
Are you up-to-date with the latest 1.135 Sanitizer?
The line in procmailrc and/or .procmailrc for
POISONED_EXECUTABLES=/etc/procmail/poisoned exists and is pointing to the
right file? "*.mpg" is on a line by itself, in this file? The file wasn't
written as MS-DOS text?
Have you changed or reset MANGLE_EXTENSIONS?
"*.doc" files are normally mangled and tested for macros unless you put
them in the poison file.
Scott.
More information about the esd-l
mailing list