Hi all.
I have a mail server with Anomy sanitizer ver 1.63 on it. I see in Anomy-bugs
mail list in september was a discussion about PDF files, which are
'sanitized'. I have same bugs with it.
Below I show some information about wrong-passed letters:
Here the letter which redirected to me by my user, he attach broken PDF's
X-Mailer: The Bat! (v1.60)
Content-Type: multipart/mixed;
boundary="----------331438BDB27FE"
------------331438BDB27FE
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit
.....
------------331438BDB27FE
Content-Type: application/pdf; name="00003878.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="00003878.pdf"
....base64 text
As can i see here is all normal. But first time the letter was be processed as
here:
-f 28858@xyz.molar.is -- 28895@xyz.molar.is
Tue Nov 4 13:52:45 SAMT 2003
Sanitizer (start="1067939565"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Rewrote HTML tag: >>_A A D04-,,QSG($00_<<
as: >>_A DEFANGED_A D04-,,QSG($00_<<
Rewrote HTML tag: >>_B O1FQA=&5$96-O M9&4@/CX@#7-T_F5A;0T*2(F45UESVT82?E_<<
as: >>_B DEFANGED_O1FQA="&5$96-O"
M9&4@/CX@#7-T_F5A;0T*2(F45UESVT82?E_<<
Split really long tag (over 2k):
>>_O_________L5_________]K_ ... _________[_______U__K___<<
Rewrote HTML tag: >>_A M_MDL9_10_<<
as: >>_A DEFANGED_M_MDL9_10_<<
Total modifications so far: 4
WHY base64 content recognizing as "Html tag"s ?
And one more sample:
-f 28858@xyz.molar.is -- 28895@xyz.molar.is
Tue Nov 4 13:53:28 SAMT 2003
Sanitizer (start="1067939609"):
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Rewrote HTML tag: >>_B O1FQA=&5$96-O9&4@+TQE;F=T:" X-B
P(%(@/CX@#7-T_F5A;0T*2(EC M8&!@9F!@*6)@96#@V_7 SX
as: >>_B DEFANGED_O1FQA='&5$96-O9&4@+TQE;F=T:"' DEFANGED_X-B
P(%(@/CX@#7-T_F5A;0T*2(EC M8&!
Rewrote HTML tag: >>_B -+T%S8V5N=" W,#8@ M#2]#87!(96EG:'0@-S$R( TO1&5S8V5N="
M,3DY( TO1FQA9W,@-B -+T9O M;
as: >>_B -+T%S8V5N=" W,#8@ M#2]#87!(96EG:'0@-S$R( TO1&5S8V5N="
M,3DY( TO1FQA9W,@-B -+T9O M;
Rewrote HTML tag: >>_A A D04-,,QSG($00_<<
as: >>_A DEFANGED_A D04-,,QSG($00_<<
Rewrote HTML tag: >>_B O1FQA=&5$96-O
M9&4@/CX@#7-T_F5A;0T*2(FD5UF/X\81?A]@_@-?@O0$,UQV\W[_(QO;_.+$ M*\ /.
as: >>_B DEFANGED_O1FQA="&5$96-O"
M9&4@/CX@#7-T_F5A;0T*2(FD5UF/X\81?A]@_@-?@O0$,UQV\W[_(QO;
Rewrote HTML tag: >>_B S,B - M+TQA_W1#:&%R(#(U,2 -+U=I9'1H_R!;(#(W." S,S,@-#
P(#4U-B U-38@ M.#,S(#@U,B R,
as: >>_B S,B DEFANGED_- M+TQA_W1#:&%R(#(U,2
-+U=I9'1H_R!;(#(W." S,S,@-# P(#4U-B U-38@ M.#,S
Total modifications so far: 15
Why safe extentions (as described in anomy.conf) do not pass "as is" but was
"sanitized" ? In result user get a undeadable PDF %((
So strange - it is happen only with PDF and only (but i not sure) sended from
elibrary.ru .
In all other cases Anomy works great.
-- Mike registered linux user #315334 jabber id: 28933@xyz.molar.is