From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: DEFANGED[99] very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-101; charset="evil" Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/x-snort-snort_garbage; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is an unnamed file, which should be left alone --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="aaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7_________.vbs.txt" this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-104; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-104" Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-105; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-105" Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-106; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="seven_scr.DEFANGED-106" Blacklisted by policy 7. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/something_quite_invalid Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="nine.txt" Whitelisted by policy 9. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="eleven.zip" Content-Transfer-Encoding: 8bit Whitelisted by policy 11. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="thirteen.ppt" Content-Transfer-Encoding: 8bit Whitelisted by policy 13. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="fifteen.3ds" Content-Transfer-Encoding: 8bit Whitelisted by policy 15. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-108; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="mismatch_3ds.DEFANGED-108" MIME-type/filename mismatch, blocked by generic rule. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-109; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-109" RFC2231 i18n-encoded blacklisted attachment name. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Truncated long subject line: >>=?ISO-8859-1?Q?this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_long_subject_which_looks_a_bit_like_a_file_name.txt_with_more_than_one_extension.exe?=<< MIME boundary missing, guessed: >>=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV<< Writer (pos="3470"): Total modifications so far: 11 Part (pos="6172"): SanitizeFile (filename="winmail.dat", mimetype="application/ms-tnef"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-101 Replaced file name with: winmail_dat.DEFANGED-101 Part (pos="6353"): SanitizeFile (filename="unnamed.txt", mimetype="application/x-snort-snort garbage"): Match (rule="9"): Enforced policy: accept Rewrote MIME field type as >>application/x-snort-snort_garbage<< (was >>application/x-snort-snort garbage<<) Part (pos="6580"): SanitizeFile (filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7áéíóúýáéí.vbs.txt", mimetype="text/plain"): Match (rule="9"): Enforced policy: accept Replaced file name with: aaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7_________.vbs.txt Part (pos="6926"): SanitizeFile (filename="wtc.exe", mimetype="text/plain"): Match (rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-104 Replaced file name with: BLACKLISTED.DEFANGED-104 Part (pos="7123"): SanitizeFile (filename="one.jpeg.exe", mimetype="text/plain"): Match (rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-105 Replaced file name with: BLACKLISTED.DEFANGED-105 Part (pos="7325"): SanitizeFile (filename="seven.scr", mimetype="text/plain"): Match (rule="7"): Enforced policy: defang Replaced mime type with: application/DEFANGED-106 Replaced file name with: seven_scr.DEFANGED-106 Part (pos="7524"): SanitizeFile (filename="nine.txt", mimetype="text/something quite invalid"): Match (rule="9"): Enforced policy: accept Rewrote MIME field type as >>text/something_quite_invalid<< (was >>text/something quite invalid<<) Part (pos="7718"): SanitizeFile (filename="eleven.zip", mimetype="text/plain"): Match (rule="11"): Enforced policy: accept Part (pos="7919"): SanitizeFile (filename="thirteen.ppt", mimetype="text/plain"): Match (rule="5"): ScanFile (file="/tmp/att-ABC-thirteen.ppt"): MacroScan (): Attachment passed macro scan with a score of 0. Scan succeeded, file is clean. Enforced policy: unknown Match (rule="13"): Enforced policy: accept Part (pos="8122"): SanitizeFile (filename="fifteen.3ds", mimetype="text/plain"): Match (rule="15"): Enforced policy: accept Part (pos="8324"): SanitizeFile (filename="mismatch.3ds", mimetype="audio/x-wav"): Match (rule="15"): Enforced policy: accept File name doesn't match MIME type, defanging. Replaced mime type with: application/DEFANGED-108 Replaced file name with: mismatch_3ds.DEFANGED-108 Part (pos="8556"): SanitizeFile (filename="wtc.exe", mimetype="audio/x-wav"): Match (rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-109 Replaced file name with: BLACKLISTED.DEFANGED-109 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 0 *** rm: cannot lstat `./.tmp.*': No such file or directory