anomy-list

Re: [BEST PRACTICES] Using more than one policy

From: Leandro Rodrigo Saad Cruz (89241@xyz.molar.is)
Date: Wed 23 Jul 2003 - 20:01:32 GMT

  • Next message: Mail Delivery Subsystem: "Returned mail: User unknown"

    Based on your example, I'd like to do something like :

    file_list_4 = .*
    file_list_4_scanner = 0:6:3,8:/usr/local/secondscanner %FILENAME
    file_list_4_policy = accept:save:save:save

    and file_list_4 would run only if f-prot accepted the file !

    Is there any way I can do this ??

    On Wed, 2003-07-23 at 12:52, D. J. Hagberg wrote:
    > I am not sure if this is what you're asking for, the logic is somewhat
    > reversed. This is a production sanitizer.cfg I use at a site with a
    > moderate volume of email. The "logical" description of the policy is
    > described pretty well in the comments:
    > 1. Drop attachments with names that are known to be bad
    > 2. Quarantine all executable attachments
    > 3. Run *everything* else through a virus scanner. Yes, even text
    > and HTML attachments (since the mime types and extensions have
    > the possibility of being faked). If it passes the virus scanner
    > cleanly, the attachment is allowed through, otherwise quarantined.
    >
    > Perhaps you can use this example and the examples that come with
    > Anomy to implement your desired policy...
    >
    > -=- D. J.
    >
    > (Note: the file_list_3_scanner line may be wrapped in email transit as
    > it is longer than 80 chars).
    > ---------------------- begin sanitizer.cfg -----------------------
    > #
    > # Temporary and saved file names use this template
    > #
    > file_name_tpl = /var/quarantine/att-$F-$T-$$$
    >
    > #
    > # Feature switches:
    > #
    > feat_verbose = 1
    > feat_log_inline = 0
    > feat_log_stderr = 1
    > feat_force_name = 1
    > feat_mime_files = 1
    >
    > #
    > # Number of rules below
    > #
    > file_list_rules=3
    >
    > # Drop known evil stuff
    > file_list_1_scanner = 0
    > file_list_1_policy = drop
    > file_list_1 = (?i)((happy99|x-mas|setup|aol4free|ie0199|funlove|flcss).exe
    > file_list_1 += |(mine).zip)
    >
    > # Quarantine any attachments that users should have no reason to mail around
    > file_list_2_scanner = 0
    > file_list_2_policy = save
    > file_list_2 = (?i)(winmail\.dat|\.
    > file_list_2 += (exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|vb[se]?|hta
    > file_list_2 += |sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]
    > file_list_2 += |reg|asd|cil|pps|asx|wm[szd])(\.g?z|\.bz\d?)*)$
    >
    > # Scan *everything* else with the f-prot virus scanner
    > file_list_3_scanner = 0:6:3,8:/usr/local/f-prot/f-prot -ai -archive
    > -dumb %FILENAME
    > file_list_3_policy = accept:save:save:save
    > file_list_3 = .*
    > ----------------------- end sanitizer.cfg ------------------------
    >
    > Leandro Rodrigo Saad Cruz wrote:
    > > Hi all. I'd like to scan my email twice. The first time I'll check to
    > > see if the user can receive an attachment of a file named foo.txt. If he
    > > can receive this attachment I want to scan foo.txt fo viroses. Which is
    > > the best way to do this with procmail/sanitizer ?
    > >
    > > 1 - invoke sanitizer twice :
    > >
    > > Is this case how do I tell procmail to execute the virus scanner
    > > when my first scritp says the user can receive the file ?
    > >
    > > 2 - use two file_list on sanitizer.cfg :
    > >
    > > In this case how do I tell sanitizer to invoke mode than one
    > > file_list ?
    > >
    > > 3 - use only one script :
    > >
    > > I think it works. But I'd like to keep thing separate !
    > >
    > >
    > >
    >
    >
    >

    -- 
    Leandro Rodrigo Saad Cruz
    IT - Inter Business Tecnologia e Servicos (IB)
    http://www.ibnetwork.com.br
    http://db.apache.org/ojb
    http://xingu.sourceforge.net
    



    hosted by molar.is