We use Anomy 1.49 with procmail (.forward file), and so far it seemed that
Anomy worked well.
However, now a strange thing happened:
- I saw an attachment named 'Camping France.txt.pif' in the carbon copy of
the mailbox of a user
- however, I could not find that file in the quarantine,
- in the maillog, it seemed that the filename was truncated to 'Camping',
and the file was ACCEPTED by Anomy according to file policy 3 (intended for
files with unknown extensions, but NOT FOR PIFs!)
- the user said he did not receive a mail with such an attachment (he should
know, he has a fresh NAV, which should have alerted him)
So,
- why Anomy truncated the filename of the attachment?
- where did that file disappear after Anomy ACCEPTED it?
I sent a mail with an attachment of the same name to the same user, but this
time Anomy did what was expected: saved the attachment in the quarantine. So
I think my Anomy config file is OK.
There must have been something wrong with the letter itself. Here is an
excerpt from it and also the maillog:
--- *** Here is the maillog: *** ---
Sanitizer (start="1033982874"):
Part (pos="1050"):
SanitizeFile (filename="unnamed.html", mimetype="text/html"):
Match (rule="4"):
ScanFile
(file="/var/quarantine/att-unnamed.html-3da1539a.2D/unnamed.html-1033982874-
qu"):
Scan succeeded, file is clean.
Enforced policy: accept
Part (pos="1446"):
SanitizeFile (filename="Camping", mimetype="audio/x-midi"):
Match (rule="3"):
Enforced policy: accept
--- *** And, here is the relevant part of the letter (the user's mail
address is replaced by 55502@xyz.molar.is): *** ---
>From 55532@xyz.molar.is Mon Oct 7 11:27:41 2002
Received: from www.beco.hu (mail.beco.hu [212.108.197.18])
by meei.hu (8.11.6/8.9.3) with ESMTP id g979Qaq83750
for <55502@xyz.molar.is>; Mon, 7 Oct 2002 11:26:37 +0200 (CEST)
(envelope-from 55532@xyz.molar.is)
Received: (from majordomo@localhost)
by www.beco.hu (8.11.6/8.11.6) id g979SRP72318;
Mon, 7 Oct 2002 11:28:27 +0200 (CEST)
(envelope-from 55532@xyz.molar.is)
Date: Mon, 7 Oct 2002 11:28:27 +0200 (CEST)
From: 55532@xyz.molar.is
Message-Id: <55574@xyz.molar.is>
X-Authentication-Warning: www.beco.hu: majordomo set sender to
55532@xyz.molar.is using -f
To: 55631@xyz.molar.is
Subject: BOUNCE 55676@xyz.molar.is: Non-member submission from
[55712@xyz.molar.is] global taboo body match "/\<iframe\b/i" at line 6
>From 55502@xyz.molar.is Mon Oct 7 11:28:25 2002
Received: from smart.eusc.inter.net (smart.eusc.inter.net [213.73.101.5])
by www.beco.hu (8.11.6/8.11.6) with ESMTP id g979SNN72313
for <55676@xyz.molar.is>; Mon, 7 Oct 2002 11:28:24 +0200 (CEST)
(envelope-from 55712@xyz.molar.is)
Received: from m139-tnt01-bp.dial.elender.hu ([212.108.240.139]
helo=serveur2)
by smart.eusc.inter.net with smtp (Exim 3.36 #4)
id 17yUE3-0006mg-00; Mon, 07 Oct 2002 11:30:57 +0200
From: 55712@xyz.molar.is
Subject: biztonsagtechnika szerviz, strukturalt halozatok
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----------ISY0VH6VL9J18YU"
Message-Id: <55749@xyz.molar.is>
Bcc:
Date: Mon, 07 Oct 2002 11:30:57 +0200
------------ISY0VH6VL9J18YU
Content-Type: text/html;
Content-Transfer-Encoding: quoted-printable
<HTML><HEAD></HEAD><BODY>
<iframe src=3Dcid:8aif6X7V1UVvv height=3D0 width=3D0>
</iframe>
<FONT></FONT>
<br>
Tisztelt Levelez=F5t=E1rsunk!<br>
<br>
Engedje meg,hogy r=F6viden bemutatkozzunk!<br>
<br>
T=E1rsas=E1gunkat 1994-ben alap=EDtottuk. Kulcsrak=E9sz
behatol=E1sjelz=F5=<br>
,
</BODY></HTML>
------------ISY0VH6VL9J18YU
Content-Type: audio/x-midi;
name=Camping France.txt.pif
Content-Transfer-Encoding: base64
Content-ID: <DEFANGED_8aif6X7V1UVvv>
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v
--- *** end of excerpt from the letter (the base64 attachment continues from
here until the end of the attachment) *** ---
It is actually a strange letter, since there seem to be more From lines than
enough. It also seems as if it was a combination of two mails. Actually, the
t5 command of mail types this whole stuff, but 'mail -f' lists two separate
messages instead.
Any ideas, what happened here?
Thank you in advance!