[Esd-l] Email Sanitizer identify zip as Office attachments
Jim Bucks
jbucks at coloradostudios.com
Wed Apr 21 10:50:26 PDT 2004
You could add *.zip to the MANGLE_EXTENSIONS in you procmailrc file -
here's mine:
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|vcf|nws|wsz|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|c[ip]l|pps|asx|pe|wm[avszd]|mp3|mpg|zip|\{[-0-9a-f]+\}'
, or into the poisoned-files, file.
Jim
"mikechiarappa at libero.it" wrote:
>
> Hello,
>
> I have installed E-mail Sanitizer, three days ago, into my Linux Server (SuSE 9.0 Pro, MTA postfix) and work good but it don't
> scan .zip attachments.
>
> I use this [/etc/procmailrc] file:
>
> # /etc/procmail/procmailrc
>
> PATH="/usr/bin:$PATH:/usr/local/bin"
> SHELL=/bin/sh
>
> POISONED_EXECUTABLES=/etc/procmail/poisoned-files
> ZIPPED_EXECUTABLES=/etc/procmail/poisoned-files-zip
> # STRIPPED_EXECUTABLES=/etc/procmail/stripped-files
> SECURITY_NOTIFY="postmaster"
> SECURITY_NOTIFY_VERBOSE=""
> SECURITY_NOTIFY_SENDER=""
> SECRET="ujytmhb24yfi2i42309tgh"
> SECURITY_POISON_WINEXE=YES
>
> # This file must already exist, with proper permissions (rw--w--w-):
> SECURITY_QUARANTINE=/var/spool/mail/quarantine
>
> POISONED_SCORE=25
> # This file must already exist, with proper permissions (rw--w--w-):
> SCORE_HISTORY=/var/log/macro-scanner-scores
>
> # This file must already exist, with proper permissions (rw--w--w-):
> LOGFILE=/var/log/procmail.log
>
> # DEBUG=YES
> # DEBUG_VERBOSE=YES
>
> # Use Perl CPAN Modules MIME::Base64 and File::mktemp
> USE_CPAN=YES
>
> # Finished setting up, now run the sanitizer...
> INCLUDERC=/etc/procmail/html-trap.procmail
>
> # Reset some things to avoid leaking info to
> # the users...
> POISONED_EXECUTABLES=
> ZIPPED_EXECUTABLES=
> STRIPPED_EXECUTABLES=
> SECURITY_NOTIFY=
> SECURITY_NOTIFY_VERBOSE=
> SECURITY_NOTIFY_SENDER=
> SECURITY_QUARANTINE=
> SECRET=
>
> # --- End of /etc/procmail/procmailrc
>
> For test I have sended an email with the attach file [fakevirus.zip] and have noted in [procmail.log] this row:
>
> Checking Office document "=?iso-8859-1?Q?fakevirus.zip?=" for poisoning.
>
> Seems that Sanitizer don't recognize attachment as a zip file but as an Office file.
> I have tried to disable perl packages MIME::Base64 and File::MkTemp using [mimencode] and [mktemp] esternal commands
> instead, and setting USE_CPAN=OFF, but the result is the same.
>
> Do you have some suggestion or hint about this problem ?
> Now I have inserted *.zip files into POISON_EXECUTABLES list.... :-))
>
> Thank you.
>
> Mike Chiarappa
> mikechiarappa at libero.it
> _______________________________________________
> Esd-l mailing list
> Esd-l at spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
--
Jim Bucks - IT/IS Support www.coloradostudios.com
2400 N. Ulster St. Denver, CO 80238 Main 303-388-8500
jbucks at coloradostudios.com DiD 303-542-5520
More information about the esd-l
mailing list