[Esd-l] Yves Agostini's script

[John D. Hardin]

On Wed, 25 Feb 2004, Smart,Dan wrote:

> What I meant to say was that setting the "MANGLE_EXTENSIONS"
> variable to 'zip', which is what the example Procmail code in
> testzip.pl does is not enough to actually strip or poison the zip
> attachment as I understand the Sanitizer.  The extension also
> needs to be in "poisoned" or "stripped" for something to actually
> happen.  Right?

Right. Changing $MANGLE_EXTENSIONS would cause the attachment to be
mangled, but unless a matching ".zip" filespec were in the poison or
strip list, the email would still be delivered.

Also, changing $MANGLE_EXTENSIONS to just "zip" means that you prevent
the sanitizer from defending against any other non-zip attack
attachment in the same message...

> Seems like this should do the following:
> 1. See if zip contains dangerous executable
> 	a. If yes, mark message as "discard"
> 	b. If no, send it on unaltered
> I don't understand what the "mangle" state if for?

It is possible for the end user to unmangle the attachment and
retrieve it. More detailed questions Yves will have to answer.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   38 days until the Slovakian Presidential Election