anomy-list

Re: Behavior of default policy?

From: Jessie Bryan (06844@xyz.molar.is)
Date: Mið 13 Des 2000 - 17:14:53 UTC


Thank you for your input Bjarni.

Here is the contents of /etc/sanitizer.cfg
Note: I haven't changed the scanner exit codes yet, right now I can only
get the sweep program to return 0 or 3 (3 being infected).

##############################################################################

# Active features.
#
feat_boundaries = 0
feat_files = 1
feat_forwards = 1
feat_html = 1
feat_lengths = 1
feat_log_inline = 1
feat_log_stderr = 0
feat_scripts = 1
feat_trust_pgp = 0
feat_uuencoded = 1
feat_verbose = 1
file_name_tpl = /var/quarantine/att-$F-$T.$$
file_list_rules = 4

msg_defanged = RENAMED

# Files we absolutely don't want.
#
file_list_1_scanner = 0
file_list_1_policy = save
file_list_1 = (?i)\.(pif|scr|dll|vbx|exe|vb[es]|c(om|hm)|bat|sys)(\.g?z|\.bz\d?)*$

# Pure data, don't mangle this stuff (much).
#
file_list_2_scanner = 0
file_list_2_policy = accept
file_list_2 = (?i)\.(gif|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx)|bmp
file_list_2 += |mp[32]|wav|au|ram?
file_list_2 += |avi|mov|mpe?g
file_list_2 += |t(xt|ex)|csv|l(og|yx)|sql|jtmpl
file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|pa(tch|s)|java|php\d?
file_list_2 += |[ja]sp
file_list_2 += |can|pos|fdps|ux|reg|kbf|xal|\d+)(\.g?z|\.bz\d?)*$

file_list_3_scanner = 0
file_list_3_policy = accept
file_list_3 = ^[^\.]+$

# Archives and scriptable stuff - virus scan these.
#
file_list_4_scanner = 0:5:3,4:/usr/local/bin/sophos.sh %FILENAME
file_list_4_policy = accept:save:save:save
file_list_4 = \.(xls|d(at|oc)|p(pt|l)|rtf|[sp]?html?|class|upd|wp\d?|m?db
file_list_4 += |z(ip|oo)|ar[cj]|lha|[tr]ar|rpm|deb|slp|tgz
file_list_4 += )(\.g?z|\.bz\d?)*$

# Default policy: accept, but mangle file name.
#
file_default_policy = defang

# Messages
#
msg_file_save = ****\n
msg_file_save += NOTE: An attachment was deleted from this part of the message,\n
msg_file_save += because it failed one or more checks by the virus scanning system.\n
msg_file_save += The file has been quarantined on the mail server, with the following\n
msg_file_save += file name:\n
msg_file_save += \n
msg_file_save += \t%SAVEDNAME\n
msg_file_save += \n
msg_file_save += The removed attachment's original name was:\n
msg_file_save += \n
msg_file_save += \t%FILENAME\n
msg_file_save += \n
msg_file_save += It is recommended that you contact your system administrator if you\n
msg_file_save += need access to the file. Please note that this may not mean the file\n
msg_file_save += was infected, it may just have had a black-listed file name.\n
msg_file_save += ****\n

# Notify Users their email was stripped
msg_log_prefix = This message has been sanitized from\n
msg_log_prefix += email attachments. Stuff\n
msg_log_prefix += may have been altered - the following\n
msg_log_prefix += log explains what was done and why.\n
#
###########################################################

Last night after I sent this email, I setup /etc/procmailrc and
this is another topic in its self, but I do get an error while running
sanitizer.pl

contents of /etc/procmailrc:
VERBOSE=on
LOGFILE=/home/jbryan/procmail-log-debug
MAILDIR=$HOME/Mailbox
ORGMAIL=$HOME/Mailbox
DEFAULT=$HOME/Mailbox
LASTFOLDER=$HOME/Mailbox
PMDIR=$HOME/.procmail
ANOMY=/usr/local/anomy/
#:0 fw
#|/usr/local/anomy/bin/sanitizer.pl /etc/sanitizer.cfg
 
I've commented out the action lines so to speak. Here is the relevant
error from procmail-log-debug.

procmail: Assigning "MAILDIR=/home/pcurry/Mailbox"
procmail: Couldn't chdir to "/home/pcurry/Mailbox"
procmail: Assigning "ORGMAIL=/home/pcurry/Mailbox"
procmail: Assigning "DEFAULT=/home/pcurry/Mailbox"
procmail: Assigning "LASTFOLDER=/home/pcurry/Mailbox"
procmail: Assigning "PMDIR=/home/pcurry/.procmail"
procmail: Assigning "ANOMY=/usr/local/anomy/"
procmail: Executing "/usr/local/anomy/bin/sanitizer.pl,/etc/sanitizer.cfg"
procmail: Program failure (-11) of "/usr/local/anomy/bin/sanitizer.pl"
procmail: Rescue of unfiltered data succeeded

I will add that var into procmailrc

On Wed, 13 Dec 2000, Bjarni R. Einarsson wrote:

>
>
> This won't work. If I understand you correctly, you want mail whenever
> the virus scanner runs - this will only send you mail when the virus
> scanner runs without finding a virus (a pretty boring occurance if you
> ask me).
>

I ran that as debug just to see if the script ran, nothing perm. oh god
how annoying that'd be :) I just needed something to let me know it ran.
>
> > If I change the file_default_policy then all emails (even ones that SHOULD
> > match predefined policies) will match that and use that action.

>
> Have you tried it? :)
Yes, If I change to save then all attachments are saved, If I change to
drop, all are droped, etc..

>
> Who said that was a bad idea? :-) To me it sounds like a fine idea, as long
> as your machine has the horsepower to do it. Just be sure to take care with
> permissions etc - it might be a good idea to precede the sanitizer ruleset
> with the DROPPRIVS=yes directive so it runs as the user instead of running
> as root.
>

Quoting: http://www.molar.is/en/lists/anomy-list/2000-06/0005.shtml

   AFAIK it *is* safe to run the sanitizer as root, assuming you follow
these rules:

- Don't use a world-writable directory for file quarantine. This
means don't use /tmp ! Create a special directory for quarantines
and make sure noone but root has access to it.

- Don't use any 3rd party virus scanners,
as they might have overflows
or other security problems.

"
I might just drop the idea with scanning any files, we don't have a 'super
machine' for our mail. It pushes, my guess, 100,000+ local and 200K+
outbound emails daily. Running postfix, the server load is usuually a
comfortable 0.25 avg. I did notice sending an mp3 4mb file as a test using
policy defang and it took about 15minutes for the file to be processed
with sanitizer.pl (using 98.5% cpu ;source: top) I may want to set a
filter that limits size of the emails, maybe 2mb or something.

> If you are misunderstanding (or me mis-expressing myself) the
> documentation, please let me know which part, so I can try to clarify
> it.
>
Ok will do. Thank you.

> --
> Bjarni R. Einarsson PGP: 02764305, B7A3AB89
> 06883@xyz.molar.is -><- http://bre.klaki.net/
>
> Check out my open-source email sanitizer: http://mailtools.anomy.net/
>

-- 
This mailing list's home page is: http://mailtools.anomy.net/archives/anomy-list/
There you can find subscription instructions and possibly an archive.
Molar.is is a free Icelandic mailing list service.



hosted by molar.is