anomy-list

Announcing sanitizer.pl, revision 1.60

From: Bjarni R. Einarsson (81658@xyz.molar.is)
Date: Wed 28 May 2003 - 14:57:39 GMT


Hi!

I've been working some more on improving the Sanitizer lately.
Revision 1.60 is out, get it at the usual place:

  http://mailtools.anomy.net/dist/

The most important part of this release, is a modified algorithm
for checking file-names against the user policies:

 - The new algorithm is much more thorough and should help those
   of you who are relying only on file-name based detection of
   Windows executables. The Sobig.B worm was managing to trick
   Anomy into thinking the infected attachment was named
   "something.pi" instead of "something.pif". Plese note the
   comment about rule-precedence in the changelog below.

 - Now people can block arbitrary MIME types, by creating an
   extension for them in /etc/mime.types, creating filename rules
   blocking those extensions and turning feat_mime_files on.

Regarding Sobig.B: People using virus scanners shouldn't have been
at risk using the old algorithm, the attachments were detected
just fine but the Sanitizer just happened to pick the wrong name
for name-based policy checks.

The changelog entry is as follows:

    Minor update to MIME type checking rules, to allow more legal
    MIME types.

    Made the multipart detection code less aggressive, in small text
    messages it would mistake common ascii-graphic signatures for
    message boundaries and mess up the parsing quite badly.

    Made the filename checker check ALL possible file names against
    each rule, instead of just checking the "default" one. If
    feat_mime_files is set, then the default file-name for that mime
    type will be checked as well. This is a major improvement to
    security, but requires that filename rules are ordered so that
    that all DROP/DEFANG/MANGLE rules precede any ACCEPT rules.

    Made the sanitizer read /etc/mime.types (if it exists) to
    generate a more complete list of default filenames for unnamed
    parts.
        

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 81658@xyz.molar.is                -><-              http://bre.klaki.net/

Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send lots of mail to: 81741@xyz.molar.is

Was I helpful? Let others know: http://svcs.affero.net/rm.php?r=Juggler



hosted by molar.is