Paolo wrote:
> % sanitizer anomy.cfg < msg 2>&1|less
>
>
OK I got a clean original copy of the email (not through anomy) and
plugged it into the above. The following lists what happened. This bit
seems suspicious
" Match (names="Odyssey_OurPeopleAdd.jpg", rule="2"):
Enforced policy: accept
File name doesn't match file contents, defanging.
Replaced mime type with: application/DEFANGED-240
Replaced file name with: Odyssey_OurPeopleAdd_jpg.DEFANGED-240
"
Also, I have sent the files to the same recipient as an attachment to
Thunderbird and
they go through unscathed.
===================================== Start trace
Sanitizer (start="1177466027"):
ParseHeader ():
Using <146749@xyz.molar.is> as reply-to address.
Using <146749@xyz.molar.is> as errors address.
Got MIME info: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/mixed",
boundary="----=_NextPart_000_0182_01C786C5.023C6420",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_000_0182_01C786C5.023C6420"
Finished parsing message header.
Parsing body as multipart/*
CleanMultipart
Replaced MIME boundary: >>----=_NextPart_000_0182_01C786C5.023C6420<<
with: >>MIMEStream=_0+215243_3681013374853_88117470974<<
Writer (pos="1541"):
Set MIME info to: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/mixed",
boundary="MIMEStream=_0+215243_3681013374853_88117470974",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_000_0182_01C786C5.023C6420"
Total modifications so far: 5
ParserUnclosedMultipart
Part (pos="1631"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="inline",
_encoding="7bit", _type="text/plain", boundary="", charset="us-ascii"
Parsing body as text/*
CleanUnknown
CleanText
SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
Rule 1:
(?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
*
Rule 2:
(?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
Match (names="unnamed.txt", rule="2"):
Enforced policy: accept
Writer (pos="79"):
Set MIME info to: _boundpre="--", _disposition="inline",
_encoding="7bit", _type="text/plain", boundary="", charset="us-ascii"
Part (pos="1953"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/appledouble",
boundary="----=_NextPart_001_0185_01C786C5.023C6420",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_001_0185_01C786C5.023C6420"
Parsing body as multipart/*
CleanMultipart
Replaced MIME boundary: >>----=_NextPart_001_0185_01C786C5.023C6420<<
with:
>> >>MIMEStream=_1+265107_56847797513252_3755013745<<
Writer (pos="92"):
Set MIME info to: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/appledouble",
boundary="MIMEStream=_1+265107_56847797513252_3755013745",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_001_0185_01C786C5.023C6420"
ParserUnclosedMultipart
Part (pos="137"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="application/applefile", boundary="",
charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
name="Odyssey_OurPeopleAdd.jpg"
Parsing body as DEFAULT.
CleanUnknown
SanitizeFile (filename="Odyssey_OurPeopleAdd.jpg",
mimetype="application/applefile"):
Rule 1:
(?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
*
Rule 2:
(?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
Match (names="Odyssey_OurPeopleAdd.jpg", rule="2"):
Enforced policy: accept
File name doesn't match file contents, defanging.
Replaced mime type with: application/DEFANGED-240
Replaced file name with: Odyssey_OurPeopleAdd_jpg.DEFANGED-240
Writer (pos="175"):
Set MIME info to: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="application/DEFANGED-240", boundary="",
charset="iso-8859-1", filename="Odyssey_OurPeopleAdd_jpg.DEFANGED-240",
name="Odyssey_OurPeopleAdd_jpg.DEFANGED-240"
ParserCat
Part (pos="63429"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="image/jpeg", boundary="",
charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
name="Odyssey_OurPeopleAdd.jpg"
Parsing body as DEFAULT.
CleanUnknown
SanitizeFile (filename="Odyssey_OurPeopleAdd.jpg, filetype.jpeg",
mimetype="image/jpeg"):
Rule 1:
(?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
*
Rule 2:
(?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
Match (names="Odyssey_OurPeopleAdd.jpg, filetype.jpeg", rule="2"):
Enforced policy: accept
Writer (pos="164"):
Set MIME info to: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="image/jpeg", boundary="",
charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
name="Odyssey_OurPeopleAdd.jpg"
ParserCat
Part (pos="235808"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/appledouble",
boundary="----=_NextPart_001_0186_01C786C5.023DEAC0",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_001_0186_01C786C5.023DEAC0"
Parsing body as multipart/*
CleanMultipart
Replaced MIME boundary: >>----=_NextPart_001_0186_01C786C5.023DEAC0<<
with:
>> >>MIMEStream=_2+119775_00255312210166_5223443977<<
Writer (pos="92"):
Set MIME info to: _boundpre="--", _disposition="inline",
_encoding="8bit", _type="multipart/appledouble",
boundary="MIMEStream=_2+119775_00255312210166_5223443977",
charset="iso-8859-1",
undecoded-boundary="----=_NextPart_001_0186_01C786C5.023DEAC0"
ParserUnclosedMultipart
Part (pos="137"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="application/applefile", boundary="",
charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
name="ODYSSEYADD_Travis.jpg"
Parsing body as DEFAULT.
CleanUnknown
SanitizeFile (filename="ODYSSEYADD_Travis.jpg",
mimetype="application/applefile"):
Rule 1:
(?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
*
Rule 2:
(?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
Match (names="ODYSSEYADD_Travis.jpg", rule="2"):
Enforced policy: accept
File name doesn't match file contents, defanging.
Replaced mime type with: application/DEFANGED-242
Replaced file name with: ODYSSEYADD_Travis_jpg.DEFANGED-242
Writer (pos="169"):
Set MIME info to: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="application/DEFANGED-242", boundary="",
charset="iso-8859-1", filename="ODYSSEYADD_Travis_jpg.DEFANGED-242",
name="ODYSSEYADD_Travis_jpg.DEFANGED-242"
ParserCat
Part (pos="77323"):
ParseHeader ():
Got MIME info: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="image/jpeg", boundary="",
charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
name="ODYSSEYADD_Travis.jpg"
Parsing body as DEFAULT.
CleanUnknown
SanitizeFile (filename="ODYSSEYADD_Travis.jpg, filetype.jpeg",
mimetype="image/jpeg"):
Rule 1:
(?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
*
Rule 2:
(?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
Match (names="ODYSSEYADD_Travis.jpg, filetype.jpeg", rule="2"):
Enforced policy: accept
Writer (pos="158"):
Set MIME info to: _boundpre="--", _disposition="attachment",
_encoding="base64", _type="image/jpeg", boundary="",
charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
name="ODYSSEYADD_Travis.jpg"
ParserCat