anomy-list

"Filtered" Attachment Types Are Slipping Through Anyway

From: Robinson, Eric (113009@xyz.molar.is)
Date: Thu 29 Jan 2004 - 23:28:51 GMT

  • Next message: APPANAH Ravi: "Problem dropping zip files from W32/Mydoom@MM"

    Over the past few days I have received worm messages with .pif and .zip
    attachments. Both of these are listed as dangerous in my anomy.conf
    (.pifs were already listed, and I moved .zips into the list myself).

    What's going on here?

    Here's my anomy.conf...

    # stuff to try to turn off the annoying message inclusions
    msg_log_prefix =
    msg_file_drop =
    feat_log_trace = 0
    feat_log_after = 0
    feat_paranoid = 0

    # Do not log to STDERR:
    feat_log_stderr = 0

    # Don't insert log in the message itself:
    feat_log_inline = 0

    # Advertisement to insert in each mail header:
    header_info = X-Sanitizer: Advosys mail filter
    header_url = 0
    header_rev = 0

    # Enable filename based policy decisions:
    feat_files = 1

    # Protect against buffer overflows and null values:
    feat_lengths = 1

    # replace MIME boundaries with our own:
    feat_boundaries = 0

    # do not fix invalid and ambiguous MIME boundaries, if possible:
    feat_fixmime = 1

    # Trust signed and/or encrypted messages:
    feat_trust_pgp = 1
    msg_pgp_warning = WARNING: Unsanitized content follows.\n

    # Defang shell scripts:
    feat_scripts = 1

    # defang active HTML:
    feat_html = 1

    # Defang UUEncoded files:
    feat_uuencoded = 0

    # Sanitize forwarded content too:
    feat_forwards = 1

    # Testing? Set to 1 for testing, 0 for production:
    feat_testing = 0

    # # Warn user about unscanned parts, etc.
    feat_verbose = 0

    # do not force all parts (except text/html parts) to
    # have file names.
    feat_force_name = 1

    # disable web bugs:
    feat_webbugs = 1

    # Disable "score" based mail discarding:
    score_panic = 0
    score_bad = 0

    msg_file_drop = \n*****\n
    msg_file_drop += NOTE: An attachment named %FILENAME was deleted from
    msg_file_drop += this message because it contained a windows executable
    msg_file_drop += or other potentially dangerous file type.
    msg_file_drop += Contact the system administrator for more information.

    ##
    ## File attachment name mangling rules:
    ##

    # Specify the Anomy temp file and quarantine directory
    file_name_tpl = /var/spool/filter/att-$F-$T.$$

    # Number of rulesets we are defining:
    file_list_rules = 2
    file_default_policy = defang

    # Delete probably nasty attachments:
    file_list_1 = (?i)(winmail.dat)|
    file_list_1 +=
    (\.(zip|exe|com|vb[se]|dll|ocx|cmd|bat|pif|lnk|hlp|ms[ip]|reg|sct|inf
    file_list_1 +=
    |asd|cab|sh[sb]|scr|cpl|chm|ws[fhc]|hta|vcd|vcf|eml|nws))$
    file_list_1_policy = drop
    file_list_1_scanner = 0

    # Allow known "safe" file types and those that will be
    # scanned by the user's desktop virus scanner:
    file_list_2 = (?i)\.
    # Word processor and document formats:
    file_list_2 += (doc|dot|txt|rtf|pdf|ps|htm|[sp]?html?
    # Spreadsheets:
    file_list_2 += |xls|xlw|xlt|csv|wk[1-4]
    # Presentation applications:
    file_list_2 += |ppt|pps|pot
    # Bitmap graphic files:
    file_list_2 += |jpe?g|gif|png|tiff?|bmp|psd|pcx
    # Vector graphics and diagramming:
    file_list_2 += |vsd|drw|cdr|swf
    # Multimedia:
    file_list_2 += |mp3|avi|mpe?g|mov|ram?|mid|ogg
    # Archives:
    file_list_2 += |g?z|rar|tgz|bz2|tar
    # Source code:
    file_list_2 += |[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
    file_list_2_policy = accept
    file_list_2_scanner = 0

    # Any file type not listed above gets renamed to prevent
    # ms outlook from auto-executing it.

    --Eric Robinson

    DISCLAIMER: This e-mail is intended solely for the above-mentioned recipient and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at 775-885-2211 and delete the e-mail. You must not copy, distribute, disclose or take any action in reliance on it.

    This e-mail message and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.

    DISCLAIMER: This e-mail is intended solely for the above-mentioned recipient and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at 775-885-2211 and delete the e-mail. You must not copy, distribute, disclose or take any action in reliance on it.

    This e-mail message and any attached files have been scanned for the presence of computer viruses. However, you are advised that you open any attachments at your own risk.



    hosted by molar.is