From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: DEFANGED[99] very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-100.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; name="DEFANGED-100.txt" **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: winmail.dat It might be a good idea to contact the sender and warn them that their system is infected. **** --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-101; charset="iso-8859-1"; name="yell_w_txt.DEFANGED-101" Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is an unnamed file, which should be treated as if it were yellow --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-102; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa_vbs_txt.DEFANGED-102" this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. The file has been quarantined on the mail server, with the following file name: .tmp.GHI The removed attachment's original name was: red.txt It is recommended that you contact your system administrator if you need access to the file. It might also be a good idea to contact the sender, and warn them that their system may be infected. **** this file is rather evil --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000104; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-1000104" this file is pretty yucky --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000105; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="yell_w_txt.DEFANGED-1000105" this file is somewhat suspicious --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="green.txt" Content-Transfer-Encoding: 8bit this file is nice --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="strange.txt" this file is strange --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000107; charset="iso-8859-1" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="scan me silly_txt.DEFANGED-1000107" L2Jpbi9mYWxzZSBtZSE= --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-2000108; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="scan me happy_txt.DEFANGED-2000108" Yeah baby. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/replacement; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="replace_me.REPLACEMENT.txt" This is a simple replacement file. Oogabooga. This should get encoded: =DE=E6=F6=F0! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Truncated long subject line: >>this is a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe<< Writer (pos="1098"): Total modifications so far: 11 Part (pos="1137"): SanitizeFile (filename="winmail.dat", mimetype="application/ms-tnef"): No attachment name found, using default (winmail.dat). Match (rule="6"): Enforced policy: drop Replaced mime type with: text/plain Replaced file name with: DEFANGED-100.txt Part (pos="1318"): SanitizeFile (filename="yellów.txt", mimetype="application/x-snort-snort"): No attachment name found, using default (yellów.txt). Match (rule="1"): ScanFile (file="./.tmp.ABC"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="4"): Enforced policy: defang Replaced mime type with: application/DEFANGED-101 Replaced file name with: yell_w_txt.DEFANGED-101 Part (pos="1555"): SanitizeFile (filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.DEF"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-102 Replaced file name with: 2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa_vbs_txt.DEFANGED-102 Part (pos="1848"): SanitizeFile (filename="red.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.GHI"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="2"): Enforced policy: save Replaced file name with: DEFANGED-1000103.txt Part (pos="2045"): SanitizeFile (filename="orange.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.JKL"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="3"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-1000104 Replaced file name with: BLACKLISTED.DEFANGED-1000104 Part (pos="2246"): SanitizeFile (filename="yellów.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.MNO"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="4"): Enforced policy: defang Replaced mime type with: application/DEFANGED-1000105 Replaced file name with: yell_w_txt.DEFANGED-1000105 Part (pos="2451"): SanitizeFile (filename="green.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.PQR"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="5"): Enforced policy: accept Part (pos="2643"): SanitizeFile (filename="strange.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.STU"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="7"): Enforced policy: warn Match (rule="8"): Enforced policy: accept Part (pos="2840"): SanitizeFile (filename="scan me silly.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.VWX"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-1000107 Replaced file name with: scan me silly_txt.DEFANGED-1000107 Part (pos="3045"): SanitizeFile (filename="scan me happy.txt", mimetype="text/plain"): Match (rule="1"): ScanFile (file="./.tmp.YZ0"): File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="10"): Enforced policy: unknown Match (rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-2000108 Replaced file name with: scan me happy_txt.DEFANGED-2000108 Part (pos="3238"): SanitizeFile (filename="replace.me", mimetype="text/plain"): Match (rule="9"): Enforced policy: unknown Match (rule="11"): ScanFile (file="./.tmp.123"): Scan succeeded, file is clean. Enforced policy: accept Replaced mime type with: text/replacement Replaced file name with: replace_me.REPLACEMENT.txt --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 1 *** ./.tmp.123 ./.tmp.GHI