anomy-list

Announcing sanitizer.pl, revision 1.60

From: Bjarni R. Einarsson (81658@xyz.molar.is)
Date: Wed 28 May 2003 - 14:57:39 GMT

Previous message: Stefano Ruberti: "Re: One little question..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

Hi!

I've been working some more on improving the Sanitizer lately.
Revision 1.60 is out, get it at the usual place:

http://mailtools.anomy.net/dist/

The most important part of this release, is a modified algorithm
for checking file-names against the user policies:

- The new algorithm is much more thorough and should help those
   of you who are relying only on file-name based detection of
   Windows executables. The Sobig.B worm was managing to trick
   Anomy into thinking the infected attachment was named
   "something.pi" instead of "something.pif". Plese note the
   comment about rule-precedence in the changelog below.

- Now people can block arbitrary MIME types, by creating an
extension for them in /etc/mime.types, creating filename rules
blocking those extensions and turning feat_mime_files on.

Regarding Sobig.B: People using virus scanners shouldn't have been
at risk using the old algorithm, the attachments were detected
just fine but the Sanitizer just happened to pick the wrong name
for name-based policy checks.

The changelog entry is as follows:

Minor update to MIME type checking rules, to allow more legal
MIME types.

    Made the multipart detection code less aggressive, in small text
    messages it would mistake common ascii-graphic signatures for
    message boundaries and mess up the parsing quite badly.

    Made the filename checker check ALL possible file names against
    each rule, instead of just checking the "default" one. If
    feat_mime_files is set, then the default file-name for that mime
    type will be checked as well. This is a major improvement to
    security, but requires that filename rules are ordered so that
    that all DROP/DEFANG/MANGLE rules precede any ACCEPT rules.

    Made the sanitizer read /etc/mime.types (if it exists) to
    generate a more complete list of default filenames for unnamed
    parts.

-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 81658@xyz.molar.is -><- http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 81741@xyz.molar.is

Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler

Previous message: Stefano Ruberti: "Re: One little question..."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Mail actions: [ respond to this message ] [ mail a new topic ]

hosted by molar.is