I've been working some more on improving the Sanitizer lately.
Revision 1.60 is out, get it at the usual place:
The most important part of this release, is a modified algorithm
for checking file-names against the user policies:
- The new algorithm is much more thorough and should help those
of you who are relying only on file-name based detection of
Windows executables. The Sobig.B worm was managing to trick
Anomy into thinking the infected attachment was named
"something.pi" instead of "something.pif". Plese note the
comment about rule-precedence in the changelog below.
- Now people can block arbitrary MIME types, by creating an
extension for them in /etc/mime.types, creating filename rules
blocking those extensions and turning feat_mime_files on.
Regarding Sobig.B: People using virus scanners shouldn't have been
at risk using the old algorithm, the attachments were detected
just fine but the Sanitizer just happened to pick the wrong name
for name-based policy checks.
The changelog entry is as follows:
Minor update to MIME type checking rules, to allow more legal
Made the multipart detection code less aggressive, in small text
messages it would mistake common ascii-graphic signatures for
message boundaries and mess up the parsing quite badly.
Made the filename checker check ALL possible file names against
each rule, instead of just checking the "default" one. If
feat_mime_files is set, then the default file-name for that mime
type will be checked as well. This is a major improvement to
security, but requires that filename rules are ordered so that
that all DROP/DEFANG/MANGLE rules precede any ACCEPT rules.
Made the sanitizer read /etc/mime.types (if it exists) to
generate a more complete list of default filenames for unnamed
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 firstname.lastname@example.org -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: email@example.com
Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler