anomy-list

Re: Unexpected defanging of jpg images.

From: Jeremy A (146655@xyz.molar.is)
Date: Wed 25 Apr 2007 - 02:05:10 GMT

  • Next message: Jeremy A: "Re: Unexpected defanging of jpg images."

    Paolo wrote:
    > % sanitizer anomy.cfg < msg 2>&1|less
    >
    >

    OK I got a clean original copy of the email (not through anomy) and
    plugged it into the above. The following lists what happened. This bit
    seems suspicious

    " Match (names="Odyssey_OurPeopleAdd.jpg", rule="2"):
              Enforced policy: accept

            File name doesn't match file contents, defanging.
            Replaced mime type with: application/DEFANGED-240
            Replaced file name with: Odyssey_OurPeopleAdd_jpg.DEFANGED-240
    "

    Also, I have sent the files to the same recipient as an attachment to
    Thunderbird and
    they go through unscathed.

    ===================================== Start trace

    Sanitizer (start="1177466027"):
      ParseHeader ():
        Using <146749@xyz.molar.is> as reply-to address.
        Using <146749@xyz.molar.is> as errors address.
        Got MIME info: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/mixed",
    boundary="----=_NextPart_000_0182_01C786C5.023C6420",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_000_0182_01C786C5.023C6420"

      Finished parsing message header.
      Parsing body as multipart/*
      CleanMultipart
      Replaced MIME boundary: >>----=_NextPart_000_0182_01C786C5.023C6420<<
                        with: >>MIMEStream=_0+215243_3681013374853_88117470974<<
      Writer (pos="1541"):
        Set MIME info to: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/mixed",
    boundary="MIMEStream=_0+215243_3681013374853_88117470974",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_000_0182_01C786C5.023C6420"
        Total modifications so far: 5

      ParserUnclosedMultipart
      Part (pos="1631"):
        ParseHeader ():
          Got MIME info: _boundpre="--", _disposition="inline",
    _encoding="7bit", _type="text/plain", boundary="", charset="us-ascii"

        Parsing body as text/*
        CleanUnknown
        CleanText
        SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
          Rule 1:
    (?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
    *
          Rule 2:
    (?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
          Match (names="unnamed.txt", rule="2"):
            Enforced policy: accept

        Writer (pos="79"):
          Set MIME info to: _boundpre="--", _disposition="inline",
    _encoding="7bit", _type="text/plain", boundary="", charset="us-ascii"

      Part (pos="1953"):
        ParseHeader ():
          Got MIME info: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/appledouble",
    boundary="----=_NextPart_001_0185_01C786C5.023C6420",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_001_0185_01C786C5.023C6420"

        Parsing body as multipart/*
        CleanMultipart
        Replaced MIME boundary: >>----=_NextPart_001_0185_01C786C5.023C6420<<
                          with:
    >> >>MIMEStream=_1+265107_56847797513252_3755013745<<
        Writer (pos="92"):
          Set MIME info to: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/appledouble",
    boundary="MIMEStream=_1+265107_56847797513252_3755013745",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_001_0185_01C786C5.023C6420"

        ParserUnclosedMultipart
        Part (pos="137"):
          ParseHeader ():
            Got MIME info: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="application/applefile", boundary="",
    charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
    name="Odyssey_OurPeopleAdd.jpg"

          Parsing body as DEFAULT.
          CleanUnknown
          SanitizeFile (filename="Odyssey_OurPeopleAdd.jpg",
    mimetype="application/applefile"):
            Rule 1:
    (?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
    *
            Rule 2:
    (?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
            Match (names="Odyssey_OurPeopleAdd.jpg", rule="2"):
              Enforced policy: accept

            File name doesn't match file contents, defanging.
            Replaced mime type with: application/DEFANGED-240
            Replaced file name with: Odyssey_OurPeopleAdd_jpg.DEFANGED-240

          Writer (pos="175"):
            Set MIME info to: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="application/DEFANGED-240", boundary="",
    charset="iso-8859-1", filename="Odyssey_OurPeopleAdd_jpg.DEFANGED-240",
    name="Odyssey_OurPeopleAdd_jpg.DEFANGED-240"

          ParserCat

        Part (pos="63429"):
          ParseHeader ():
            Got MIME info: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="image/jpeg", boundary="",
    charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
    name="Odyssey_OurPeopleAdd.jpg"

          Parsing body as DEFAULT.
          CleanUnknown
          SanitizeFile (filename="Odyssey_OurPeopleAdd.jpg, filetype.jpeg",
    mimetype="image/jpeg"):
            Rule 1:
    (?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
    *
            Rule 2:
    (?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
            Match (names="Odyssey_OurPeopleAdd.jpg, filetype.jpeg", rule="2"):
              Enforced policy: accept

          Writer (pos="164"):
            Set MIME info to: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="image/jpeg", boundary="",
    charset="iso-8859-1", filename="Odyssey_OurPeopleAdd.jpg",
    name="Odyssey_OurPeopleAdd.jpg"

          ParserCat

      Part (pos="235808"):
        ParseHeader ():
          Got MIME info: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/appledouble",
    boundary="----=_NextPart_001_0186_01C786C5.023DEAC0",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_001_0186_01C786C5.023DEAC0"

        Parsing body as multipart/*
        CleanMultipart
        Replaced MIME boundary: >>----=_NextPart_001_0186_01C786C5.023DEAC0<<
                          with:
    >> >>MIMEStream=_2+119775_00255312210166_5223443977<<
        Writer (pos="92"):
          Set MIME info to: _boundpre="--", _disposition="inline",
    _encoding="8bit", _type="multipart/appledouble",
    boundary="MIMEStream=_2+119775_00255312210166_5223443977",
    charset="iso-8859-1",
    undecoded-boundary="----=_NextPart_001_0186_01C786C5.023DEAC0"

        ParserUnclosedMultipart
        Part (pos="137"):
          ParseHeader ():
            Got MIME info: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="application/applefile", boundary="",
    charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
    name="ODYSSEYADD_Travis.jpg"

          Parsing body as DEFAULT.
          CleanUnknown
          SanitizeFile (filename="ODYSSEYADD_Travis.jpg",
    mimetype="application/applefile"):
            Rule 1:
    (?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
    *
            Rule 2:
    (?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
            Match (names="ODYSSEYADD_Travis.jpg", rule="2"):
              Enforced policy: accept

            File name doesn't match file contents, defanging.
            Replaced mime type with: application/DEFANGED-242
            Replaced file name with: ODYSSEYADD_Travis_jpg.DEFANGED-242

          Writer (pos="169"):
            Set MIME info to: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="application/DEFANGED-242", boundary="",
    charset="iso-8859-1", filename="ODYSSEYADD_Travis_jpg.DEFANGED-242",
    name="ODYSSEYADD_Travis_jpg.DEFANGED-242"

          ParserCat

        Part (pos="77323"):
          ParseHeader ():
            Got MIME info: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="image/jpeg", boundary="",
    charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
    name="ODYSSEYADD_Travis.jpg"

          Parsing body as DEFAULT.
          CleanUnknown
          SanitizeFile (filename="ODYSSEYADD_Travis.jpg, filetype.jpeg",
    mimetype="image/jpeg"):
            Rule 1:
    (?i)(winmail\.dat|\.([23]86|vb[se]|jse|cpl|crt|chm|cpl|in[fsi]|isp|dll|drv|cmd|sc[rt]|sys|bat|pif|lnk|hlp|ms[cip]|reg|asd|sh[bs]|app|ocx|ht[ta]|mht|url|exe|ws[cfh]|ops|com|prx|mim|uue|uu|b64|bhx|hqx|xxe))
    *
            Rule 2:
    (?i)\.(doc|dot|txt|rtf|pdf|sxw|e?ps|htm|[sp]?html?|xls|xlw|xlt|csv|sxc|wk[1-4]|ppt|pps|pot|sxi|jpe?g|gif|png|tiff?|bmp|psd|pcx|vsd|drw|cdr|ai|mp3|avi|mpe?g|mov|qtw|ram?|ogg|vcf|zip|g?z|tgz|bz2|tar|[ch](pp|\+\+)?|s|inc|asm|patch|java|php\d?|jsp|bas)
            Match (names="ODYSSEYADD_Travis.jpg, filetype.jpeg", rule="2"):
              Enforced policy: accept

          Writer (pos="158"):
            Set MIME info to: _boundpre="--", _disposition="attachment",
    _encoding="base64", _type="image/jpeg", boundary="",
    charset="iso-8859-1", filename="ODYSSEYADD_Travis.jpg",
    name="ODYSSEYADD_Travis.jpg"

          ParserCat



    hosted by molar.is