Description of sanitizer policy system.

From: Bjarni R. Einarsson (
Date: Fös 08 Des 2000 - 15:09:19 UTC


I postd this discussion of the Anomy sanitizer's policy system to John
Hardin's email-security announce list because he was asking how I handled
these things. I thought this (or something like it) might make a useful
addendum to the current manual.

----- Forwarded message from "Bjarni R. Einarsson" <> -----

Date: Fri, 8 Dec 2000 15:06:25 +0000
From: "Bjarni R. Einarsson" <>
Subject: Re: [Esa-l] Re: Felix Navidad ... Stripping Attachments
X-Mailer: Mutt 0.95.4i

On 2000-12-07, 20:10:28 (-0800), John D. Hardin wrote:
> Bjarni, do you have something along these lines for Anomy?

At the moment, I can't say I do. Anomy currently implements one
kind of log, which is sent to one or both of two possible
destinations: stderr and embedded in the sanitized message itself.

I rely on external tools (such as procmail) to catch the log (when
sent to stderr) and do something useful with it. As I said, this
is one thing I plan to improve. I'm still pondering what is the
best/most portable strategy. Does the Syslog module work on Win32

W.r.t. to how different files are mangled, Anomy implements a
rule-based system where you can specify a regular expression which
is compared to file names. If it matches, the rule's policy is
enforced, if it doesn't the next rule in your list (which can be
as long as you need) is checked. There is also a default policy
for attachments which don't match anything.

Policies can be:

   accept - Accept the attachment
   mangle - Completely obfuscate the file name and MIME-type
   defang - Defang the file name and MIME-type (less aggressive)
   drop - Delete the attachment
   save - Remove the attachment, but save in quarantine
   panic - Immediately stop processing the message and quit.
   unknown - Indeterminate result, try next rule.

Optionally, a rule can have a list of four policies, exit codes,
and an external virus scanner. Which policy is used then depends
on what the virus scanner's exit code was when it scanned the
file. This is sufficiently general to allow me to support any
standalone scanner out there... there is also a built-in macro
scanner based on your (John's) code.

All policies can be modified with a "!" character, which
increments the internal bug-counter past the threshold which makes
the sanitizer return a non-zero exit code. If I add more flexible
logging I might end up adding more modifiers like you were

Temporary files / saved files are saved to a file name generated
from a user-defined template. Filename tmplates can contain
tokens for a "defanged" file-name, timestamps and random

Unnamed parts (parts with no file-name) are handled by mapping
interesting MIME-types to a default file-name.
Application/ms-tnef is thus internally processed as "winmail.dat"
even if there is no filename attribute in the original message.

I should probably take a copy of this message and include it in
the Anomy sanitizer's manual. :-)

Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89                -><-    

Check out my open-source email sanitizer:

-- This mailing list's home page is: There you can find subscription instructions and possibly an archive. is a free Icelandic mailing list service.

hosted by