We use Anomy 1.49 with procmail (.forward file), and so far it seemed that
Anomy worked well.
However, now a strange thing happened:
- I saw an attachment named 'Camping France.txt.pif' in the carbon copy of
the mailbox of a user
- however, I could not find that file in the quarantine,
- in the maillog, it seemed that the filename was truncated to 'Camping',
and the file was ACCEPTED by Anomy according to file policy 3 (intended for
files with unknown extensions, but NOT FOR PIFs!)
- the user said he did not receive a mail with such an attachment (he should
know, he has a fresh NAV, which should have alerted him)
- why Anomy truncated the filename of the attachment?
- where did that file disappear after Anomy ACCEPTED it?
I sent a mail with an attachment of the same name to the same user, but this
time Anomy did what was expected: saved the attachment in the quarantine. So
I think my Anomy config file is OK.
There must have been something wrong with the letter itself. Here is an
excerpt from it and also the maillog:
--- *** Here is the maillog: *** ---
SanitizeFile (filename="unnamed.html", mimetype="text/html"):
Scan succeeded, file is clean.
Enforced policy: accept
SanitizeFile (filename="Camping", mimetype="audio/x-midi"):
Enforced policy: accept
--- *** And, here is the relevant part of the letter (the user's mail
address is replaced by firstname.lastname@example.org): *** ---
>From email@example.com Mon Oct 7 11:27:41 2002
Received: from www.beco.hu (mail.beco.hu [126.96.36.199])
by meei.hu (8.11.6/8.9.3) with ESMTP id g979Qaq83750
for <firstname.lastname@example.org>; Mon, 7 Oct 2002 11:26:37 +0200 (CEST)
Received: (from majordomo@localhost)
by www.beco.hu (8.11.6/8.11.6) id g979SRP72318;
Mon, 7 Oct 2002 11:28:27 +0200 (CEST)
Date: Mon, 7 Oct 2002 11:28:27 +0200 (CEST)
X-Authentication-Warning: www.beco.hu: majordomo set sender to
email@example.com using -f
Subject: BOUNCE firstname.lastname@example.org: Non-member submission from
[email@example.com] global taboo body match "/\<iframe\b/i" at line 6
>From firstname.lastname@example.org Mon Oct 7 11:28:25 2002
Received: from smart.eusc.inter.net (smart.eusc.inter.net [188.8.131.52])
by www.beco.hu (8.11.6/8.11.6) with ESMTP id g979SNN72313
for <email@example.com>; Mon, 7 Oct 2002 11:28:24 +0200 (CEST)
Received: from m139-tnt01-bp.dial.elender.hu ([184.108.40.206]
by smart.eusc.inter.net with smtp (Exim 3.36 #4)
id 17yUE3-0006mg-00; Mon, 07 Oct 2002 11:30:57 +0200
Subject: biztonsagtechnika szerviz, strukturalt halozatok
Content-Type: multipart/alternative; boundary="----------ISY0VH6VL9J18YU"
Date: Mon, 07 Oct 2002 11:30:57 +0200
<iframe src=3Dcid:8aif6X7V1UVvv height=3D0 width=3D0>
Engedje meg,hogy r=F6viden bemutatkozzunk!<br>
T=E1rsas=E1gunkat 1994-ben alap=EDtottuk. Kulcsrak=E9sz
--- *** end of excerpt from the letter (the base64 attachment continues from
here until the end of the attachment) *** ---
It is actually a strange letter, since there seem to be more From lines than
enough. It also seems as if it was a combination of two mails. Actually, the
t5 command of mail types this whole stuff, but 'mail -f' lists two separate
Any ideas, what happened here?
Thank you in advance!