anomy-bugs

Anomy v1.63 and a PDF files

From: Mike Lykov (28774@xyz.molar.is)
Date: Wed 05 Nov 2003 - 07:46:17 GMT


Hi all.

I have a mail server with Anomy sanitizer ver 1.63 on it. I see in Anomy-bugs
mail list in september was a discussion about PDF files, which are
'sanitized'. I have same bugs with it.

Below I show some information about wrong-passed letters:

Here the letter which redirected to me by my user, he attach broken PDF's

X-Mailer: The Bat! (v1.60)
Content-Type: multipart/mixed;
  boundary="----------331438BDB27FE"

------------331438BDB27FE
Content-Type: text/plain; charset=Windows-1251
Content-Transfer-Encoding: 8bit

.....

------------331438BDB27FE
Content-Type: application/pdf; name="00003878.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="00003878.pdf"

....base64 text

As can i see here is all normal. But first time the letter was be processed as
here:

-f 28858@xyz.molar.is -- 28895@xyz.molar.is
Tue Nov 4 13:52:45 SAMT 2003
Sanitizer (start="1067939565"):
  SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
    Match (names="unnamed.txt", rule="2"):
      Enforced policy: accept
                                                                                                           
  Rewrote HTML tag: >>_A A D04-,,QSG($00_<<
                as: >>_A DEFANGED_A D04-,,QSG($00_<<
  Rewrote HTML tag: >>_B O1FQA=&5$96-O M9&4@/CX@#7-T_F5A;0T*2(F45UESVT82?E_<<
                as: >>_B DEFANGED_O1FQA="&5$96-O"
M9&4@/CX@#7-T_F5A;0T*2(F45UESVT82?E_<<
  Split really long tag (over 2k):
>>_O_________L5_________]K_ ... _________[_______U__K___<<
  Rewrote HTML tag: >>_A M_MDL9_10_<<
                as: >>_A DEFANGED_M_MDL9_10_<<
                                                                                                           
Total modifications so far: 4

WHY base64 content recognizing as "Html tag"s ?

And one more sample:

-f 28858@xyz.molar.is -- 28895@xyz.molar.is
Tue Nov 4 13:53:28 SAMT 2003
Sanitizer (start="1067939609"):
  SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
    Match (names="unnamed.txt", rule="2"):
      Enforced policy: accept
                                                                                                           
  Rewrote HTML tag: >>_B O1FQA=&5$96-O9&4@+TQE;F=T:" X-B
P(%(@/CX@#7-T_F5A;0T*2(EC M8&!@9F!@*6)@96#@V_7 SX
                as: >>_B DEFANGED_O1FQA='&5$96-O9&4@+TQE;F=T:"' DEFANGED_X-B
P(%(@/CX@#7-T_F5A;0T*2(EC M8&!
  Rewrote HTML tag: >>_B -+T%S8V5N=" W,#8@ M#2]#87!(96EG:'0@-S$R( TO1&5S8V5N="
M,3DY( TO1FQA9W,@-B -+T9O M;
                as: >>_B -+T%S8V5N=" W,#8@ M#2]#87!(96EG:'0@-S$R( TO1&5S8V5N="
M,3DY( TO1FQA9W,@-B -+T9O M;
  Rewrote HTML tag: >>_A A D04-,,QSG($00_<<
                as: >>_A DEFANGED_A D04-,,QSG($00_<<
  Rewrote HTML tag: >>_B O1FQA=&5$96-O
M9&4@/CX@#7-T_F5A;0T*2(FD5UF/X\81?A]@_@-?@O0$,UQV\W[_(QO;_.+$ M*\ /.
                as: >>_B DEFANGED_O1FQA="&5$96-O"
M9&4@/CX@#7-T_F5A;0T*2(FD5UF/X\81?A]@_@-?@O0$,UQV\W[_(QO;
  Rewrote HTML tag: >>_B S,B - M+TQA_W1#:&%R(#(U,2 -+U=I9'1H_R!;(#(W." S,S,@-#
P(#4U-B U-38@ M.#,S(#@U,B R,
                as: >>_B S,B DEFANGED_- M+TQA_W1#:&%R(#(U,2
-+U=I9'1H_R!;(#(W." S,S,@-# P(#4U-B U-38@ M.#,S
                                                                                                           
Total modifications so far: 15

Why safe extentions (as described in anomy.conf) do not pass "as is" but was
"sanitized" ? In result user get a undeadable PDF %((

So strange - it is happen only with PDF and only (but i not sure) sended from
elibrary.ru .

In all other cases Anomy works great.

-- 
Mike
registered linux user #315334
jabber id: 28933@xyz.molar.is



hosted by molar.is