procmail-sanitizer.tar.gz: html-trap.procmail.nomacroscan

"Fossies" - the Fresh Open Source Software Archive

Member "html-trap.procmail.nomacroscan" (20 Jan 2006, 64750 Bytes) of package /linux/privat/old/procmail-sanitizer.tar.gz:

As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.

1 ### Copyright (C) 1997-2004 John D. Hardin 2 ### This program is free software; you can redistribute it and/or modify 3 ### it under the terms of the GNU General Public License as published by 4 ### the Free Software Foundation; either version 2 of the License, or 5 ### (at your option) any later version. 6 ### 7 ### This program is distributed in the hope that it will be useful, 8 ### but WITHOUT ANY WARRANTY; without even the implied warranty of 9 ### MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 10 ### GNU General Public License for more details. 11 ### 12 ### Contact the copyright holder for commercial licensing terms 13 ### if you wish to incorporate this code or portions of it into 14 ### non-GPL software. 15 ### 16 # 17 # <jhardin@impsec.org> 18 # $Id: html-trap.procmail,v 1.151 2006-01-20 07:29:24-08 jhardin Exp jhardin $ 19 # 20 # Baroquely complex Procmail and Perl recipe to defang active-content HTML tags 21 # to protect those people foolish enough to read their mail from a web browser 22 # or HTML-enabled mail client. Also mangles the attachment name on executable 23 # attachments to prevent attacks, at the cost of not being able to run 24 # programs from within your mail client - which you shouldn't do anyway. 25 # Also protects against excessively long filenames in attachments, which 26 # can cause nasty things to happen in some clients, and excessively long 27 # MIME headers, which may crash or allow exploits of some clients. 28 # 29 # All of the configuration options discussed below must be set in the 30 # procmail script that calls this filter, before this filter is called. 31 # Please see http://www.impsec.org/email-tools/sanitizer-configuration.html 32 # for complete documentation of all configuration options. 33 # 34 # If you wish to override the default list of executable extensions, 35 # set MANGLE_EXTENSIONS to a regexp (see where it is defined below for 36 # the proper syntax). DO NOT start or end it with a vertical bar or have 37 # two adjacent vertical bars! 38 # 39 # If you wish to block specific executable or document filenames from 40 # attachments, define $POISONED_EXECUTABLES to point at a filename 41 # containing one filename per line, with no leading spaces. Trailing spaces 42 # and comments (beginning with "#") are permitted. 43 # Case is ignored. Wildcards are allowed, using a mishmash of filename 44 # globbing and regular expression syntax. 45 # 46 # Site policy for trapped messages can be specified within limited bounds. 47 # To redirect poisoned messages to a file or directory, set 48 # $SECURITY_QUARANTINE to the name of the file or directory. To notify 49 # administrator(s), set $SECURITY_NOTIFY and/or $SECURITY_NOTIFY_VERBOSE to a 50 # comma-delimited address list. The _VERBOSE recipients will get the whole 51 # message. 52 # 53 # If the trapped message cannot be saved in $SECURITY_QUARANTINE for any 54 # reason, the message will be bounced unless $SECURITY_QUARANTINE_OPTIONAL is 55 # set to any value. 56 # 57 # This performs limited scanning of attachments for M$ macros which contain 58 # possibly dangerous code (as opposed to specific strings from specific 59 # variants of specific exploits). To disable this scanning, set 60 # $DISABLE_MACRO_CHECK to anything. To adjust the score an attachment is 61 # considered "poisoned" at, set $POISONED_SCORE. The default is 25, which 62 # should be okay unless you see valid attachments with complex macros. Set 63 # $SCORE_HISTORY to a filename to track the scores on scanned documents. 64 # If you wish to do profiling before implementing poisoning, set 65 # $SCORE_ONLY to anything to scan and possibly record scores but not 66 # poison. This could also be accomplished by setting $POISONED_SCORE to a 67 # very high value (200?), which would trap attacks while still allowing 68 # profiling. 69 # 70 # This performs scanning of .ZIP archive attachments for filenames. .ZIP 71 # attachments will be handled by the POISON and STRIP lists, and 72 # $ZIPPED_EXECUTABLES lists filespecs that will cause the message to be 73 # quarantined if found in the .ZIP attachment 74 # 75 # If you wish to send a message to the author of a trapped message, set 76 # $SECURITY_NOTIFY_SENDER to any value. To replace the canned message that 77 # is sent to the author of a trapped message, set $SECURITY_NOTIFY_SENDER 78 # to point at a text file for the message body. No variable expansion is 79 # performed on the body of this message. If you want to notify the 80 # sender's postmaster as well, set $SECURITY_NOTIFY_SENDER_POSTMASTER 81 # to any value. If you are not running this on a mail relay, you can use 82 # $SECURITY_NOTIFY_RECIPIENT in the same manner as $SECURITY_NOTIFY_SENDER. 83 # 84 # This could also be extended fairly easily to allow virus-checking of 85 # attachments, assuming you have a virus-checker that will run under *nix. 86 # 87 # NOTES 88 # Requires perl. 89 # Attachment scanning requires the "mktemp" and "mimencode" programs OR 90 # the installation of the CPAN Perl modules MIME::Base64 and File::MkTemp. 91 # Set $USE_CPAN if you want to use CPAN modules. If you can't put those 92 # modules in their system directories (e.g. you're running this on your 93 # ISP's computer), put them somewhere accessible and set $PVT_CPAN to that 94 # directory. 95 # Scanning of ZIP attachments requires the "unzip" program. 96 # 97 # This is a non-delivering filter recipe unless $SECURITY_QUARANTINE is 98 # set. 99 # 100 # INVOCATION 101 # Insert 102 # CONFIG_VARIABLE=some_value 103 # {repeat as needed} 104 # INCLUDERC=html-trap.procmail 105 # into your .procmailrc at the beginning or end. 106 # 107 # For further details, particularly how to set up site-wide and mail hub 108 # or relay filtering, visit: 109 # http://www.impsec.org/email-tools/procmail-security.html 110 # 111 112 # possible bug workaround? 113 LINEBUF=8192 114 115 # Size LINEBUF dynamically to deal with excessively large headers 116 :0 H 117 * 32000^0 118 * 1^1 . 119 { 120 LINEBUF="$=" 121 } 122 123 # override csh and cousins 124 :0 125 * SHELL ?? csh$ 126 { 127 SHELL="/bin/sh" 128 } 129 130 # Make sure $LOGFILE exists so the shells don't barf 131 LOGFILE=${LOGFILE:-"/dev/null"} 132 133 #--------------------------------------------------------------------------- 134 # Grab some info for logging 135 # 136 NL=" 137 " 138 SUBJ="" 139 FROM="unknown" 140 FROMDOM="" 141 REPLY_SUPPRESSED="" 142 143 :0 144 * ^Subject[ ]*:[ ]+\/[^ ].+ 145 { 146 SUBJ=" in \"$MATCH\"" 147 } 148 149 OVERRIDEFORMAIL="Xx:" 150 151 # AOL mail servers look up who is dialled in and 152 # add that user's ID as the X-Apparently-From: header 153 # This is pretty spoof-proof 154 155 :0 156 * ^Received: from .*\.aol\.com .* by .*\.aol\.com 157 * ^X-Apparently-From:.*\/[^ ]+@aol\.com 158 { 159 FROM="$MATCH" 160 OVERRIDEFORMAIL="To: $FROM" 161 162 SUBJ="$SUBJ from $FROM" 163 FROMDOM="aol.com" 164 } 165 166 # otherwise, try Return-Path: (the envelope sender) 167 # which is still subject to spoofing but may be 168 # overlooked 169 170 :0 E 171 * ^Return-Path:.*\/<[^>]+@[^>]+> 172 { 173 FROM="$MATCH" 174 175 # Did a mailing list rewrite the Return-Path header? 176 :0 177 * -1^0 178 * 1^0 ^Precedence: (bulk|junk|list) 179 * 1^0 ^(List-Id|X-Mailing-List): 180 * 9876543210^0 FROM ?? \<owner- 181 * 9876543210^0 FROM ?? \<[^@ >]+-l-admin@ 182 { 183 :0 184 * ^From:.*\/<[^>]+> 185 { 186 FROM="$MATCH" 187 } 188 } 189 190 SUBJ="$SUBJ from $FROM" 191 :0 192 * ^Return-Path:.*<[^@]+@\/[^>]+ 193 { 194 FROMDOM="$MATCH" 195 } 196 } 197 198 # The following runs if Return-Path: header not found 199 # MAKE SURE your MTA puts in a Return-Path: header! 200 :0 E 201 * ^From:.*\/<[^>]+> 202 { 203 FROM="$MATCH" 204 SUBJ="$SUBJ from $FROM" 205 LOG=" WARN: No usable Return-Path: header found in message.${NL}" 206 207 :0 208 * SECURITY_NOTIFY_SENDER ?? [^ ] 209 * ! SECURITY_DISABLE_SMART_REPLY ?? [^ ] 210 { 211 REPLY_SUPPRESSED="NOTICE: No Return-Path: header. Suppressing sender notification.${NL}" 212 LOG=" $REPLY_SUPPRESSED" 213 SECURITY_NOTIFY_SENDER= 214 } 215 } 216 217 TO=<$LOGNAME> 218 219 :0 220 * LOGNAME ?? ^root$ 221 { 222 # If $LOGNAME is root, we're probably running as a gateway filter: 223 # get the "real" to name(s) out of the message headers. 224 :0 225 * ^To: +\/.* 226 { 227 TO="$MATCH" 228 } 229 } 230 231 # try to get the full recipient address from a Received: header 232 # this overrides LOGNAME and the To: header 233 :0 234 * ^Received: .*for \/<?[^> ]+@[^> ]+\.[^> ;]+>? 235 { 236 TO="$MATCH" 237 } 238 239 :0 240 * ^Received: .*for \/<[^> ]+@[^> ]+\.[a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?> 241 { 242 TO="$MATCH" 243 } 244 245 SUBJ="$SUBJ to $TO" 246 247 :0 248 * ^Message-ID:.*\/<[^>]+> 249 { 250 MSGID="$MATCH" 251 SUBJ="$SUBJ msgid=$MSGID" 252 } 253 254 SUBJ="$SUBJ 255 " 256 257 #--------------------------------------------------------------------------- 258 # Override these in /etc/procmailrc as needed 259 # 260 261 STRIPPED_WARNING=${STRIPPED_WARNING:-" 262 SECURITY NOTICE: 263 264 The mail system has removed a file attachment from this message. 265 The attachment has been discarded. 266 267 Please contact your system administrator for details. 268 269 "} 270 271 POISONED_WARNING=${POISONED_WARNING:-" 272 SECURITY WARNING! 273 274 The mail system has detected that the following 275 attachment may contain hazardous program code, is 276 a suspicious file type, or has a suspicious file name. 277 Do not trust it. Contact your system administrator immediately. 278 279 "} 280 281 MACRO_WARNING=${MACRO_WARNING:-" 282 SECURITY WARNING! 283 284 The mail delivery system has detected that the preceding 285 document attachment appears to contain hazardous macro code. 286 Macro Scanner score: "} 287 288 MACRO_DETAILS=${MACRO_DETAILS:-"Macro Scanner score details: 289 " 290 291 ZIP_MAGIC_WARNING=${ZIP_MAGIC_WARNING:-" 292 SECURITY WARNING! 293 294 The mail system has detected that the preceding attachment 295 claims to be a ZIP archive, but it does not have a valid ZIP 296 archive signature. 297 Do not trust it. Contact your system administrator immediately. 298 299 "} 300 301 ZIPPED_WARNING=${ZIPPED_WARNING:-" 302 SECURITY WARNING! 303 304 The mail system has detected that the preceding ZIP archive 305 attachment contains suspicious files. 306 Do not trust it. Contact your system administrator immediately. 307 308 The suspicious files in the archive are: 309 310 "} 311 312 :0 313 * ! DISABLE_RAR_SCAN ?? [^ ] 314 * ! ? type unrar >/dev/null 2>&1 315 { 316 # unrar not on $PATH 317 LOG=" unrar not found, disabling RAR scan - either install unrar or define DISABLE_RAR_SCAN${NL}" 318 DISABLE_RAR_SCAN=Y 319 } 320 321 322 RAR_MAGIC_WARNING=${RAR_MAGIC_WARNING:-" 323 SECURITY WARNING! 324 325 The mail system has detected that the preceding attachment 326 claims to be a RAR archive, but it does not have a valid RAR 327 archive signature. 328 Do not trust it. Contact your system administrator immediately. 329 330 "} 331 332 RARRED_WARNING=${RARRED_WARNING:-" 333 SECURITY WARNING! 334 335 The mail system has detected that the preceding RAR archive 336 attachment contains suspicious files. 337 Do not trust it. Contact your system administrator immediately. 338 339 The suspicious files in the archive are: 340 341 "} 342 343 BAD_BASE64_WARNING=${BAD_BASE64_WARNING:-" 344 SECURITY WARNING! 345 346 The mail system has detected that the preceding attachment 347 was encoded in a manner intended to bypass security filtering. 348 Do not trust it. Contact your system administrator immediately. 349 350 "} 351 352 BAD_JPEG_WARNING=${BAD_JPEG_WARNING:-" 353 SECURITY WARNING! 354 355 The mail system has detected that the preceding attachment 356 appears to be a JPEG image containing a Microsoft buffer overflow attack. 357 Do not trust it. Contact your system administrator immediately. 358 359 "} 360 361 WMF_WARNING=${WMF_WARNING:-" 362 SECURITY WARNING! 363 364 The mail system has detected that the preceding attachment 365 appears to be a WMF image. It has been blocked for security reasons. 366 Contact your system administrator immediately. 367 368 "} 369 370 TNEF_WARNING=${TNEF_WARNING:-" 371 SECURITY NOTICE: 372 373 The mail system has removed a Microsoft attachment for security reasons. 374 The sender should disable sending Rich Text format in Outlook and 375 disable sending TNEF to the Internet from their Microsoft Exchange gateway. 376 377 See http://support.microsoft.com/support/kb/articles/Q241/5/38.ASP 378 and http://www.microsoft.com/TechNet/exchange/2505ch10.asp 379 for more information. 380 381 "} 382 383 384 # FROM address for notifications 385 SECURITY_LOCAL_POSTMASTER=${SECURITY_LOCAL_POSTMASTER:-"postmaster"} 386 387 # MTA command line options when generating messages 388 # get recipient(s) from command line 389 MTA_FLAGS_CMDLN=${MTA_FLAGS_CMDLN:-"-U"} 390 # get recipient(s) from message headers 391 MTA_FLAGS_HDRS=${MTA_FLAGS_HDRS:-"-oi -t -f$SECURITY_LOCAL_POSTMASTER"} 392 393 # How paranoid to be about stuff embedded in documents 394 # default: very 395 SC_MBD=${SECURITY_OFFICE_EMBED_SCORE:-99} 396 397 398 #--------------------------------------------------------------------------- 399 # trap some excessively long RFC-822 headers 400 # 401 402 :0 403 * ^\/Subject: ..................................................................................................................................................................................................................................................* 404 { 405 LOG=" Trapped excessively long header$SUBJ" 406 STATUS="STATUS: Header truncated." 407 HDR="$MATCH" 408 409 # truncate the header 410 :0 fw h 411 * ^\/Subject: ................................................................................................................................................................................................................................................. 412 | formail -i "$MATCH" 413 414 SECURITY_NOTIFY=${SECURITY_NOTIFY:-"postmaster"} 415 416 :0 417 * ! SECURITY_NONOTIFY_LONGSUBJECT ?? [^ ] 418 * SECURITY_NOTIFY ?? [^ ] 419 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 420 { 421 LOG="${NL} NOTIFY $SECURITY_NOTIFY${NL}" 422 423 :0 h ci 424 | ( \ 425 echo "To: $SECURITY_NOTIFY";\ 426 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 427 echo 'Subject: SECURITY WARNING - possible email attack';\ 428 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 429 echo ;\ 430 echo 'Trapped excessively long header:' ;\ 431 echo "$HDR";\ 432 echo ;\ 433 echo "$STATUS";\ 434 echo ;\ 435 echo 'Headers from message:';\ 436 echo ;\ 437 sed -e 's/^/> /' ;\ 438 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 439 } 440 } 441 442 443 :0 444 * \/^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notification|apparently)-to|Return-Path): .*<>.*<>.*<>.*<>.*<>.*<>.* 445 { 446 HDR=$MATCH 447 LOG=" Trapped multiple null addresses (possible sendmail attack)" 448 STATUS="STATUS: Header cleaned." 449 450 # truncate the header 451 :0 fw h 452 | sed -e 's/<>.*<>.*<>.*<>.*<>.*<>/<>/g' 453 454 SECURITY_NOTIFY=${SECURITY_NOTIFY:-"postmaster"} 455 456 :0 457 * SECURITY_NOTIFY ?? [^ ] 458 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 459 { 460 LOG="${NL} NOTIFY $SECURITY_NOTIFY${NL}" 461 462 :0 h ci 463 | ( \ 464 echo "To: $SECURITY_NOTIFY";\ 465 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 466 echo 'Subject: SECURITY WARNING - possible email attack';\ 467 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 468 echo ;\ 469 echo 'Trapped multiple null addresses (possible sendmail exploit):' ;\ 470 echo "$HDR";\ 471 echo ;\ 472 echo "$STATUS";\ 473 echo ;\ 474 echo 'Headers from message:';\ 475 echo ;\ 476 sed -e 's/^/> /' ;\ 477 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 478 } 479 } 480 481 482 :0 483 * ^\/(Mime-Version|(Resent-)?(Date|Sender|From|Reply-To)|(errors|disposition-notification|apparently)-to|Message-ID|Return-Path|Status|X-Status|X-Keywords|Content-(Class|Type|Disposition|Transfer-Encoding)): ......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................* 484 { 485 LOG=" Trapped excessively long header$SUBJ" 486 STATUS="STATUS: Message bounced." 487 HDR="$MATCH" 488 489 :0 490 * SECURITY_QUARANTINE ?? [^ ] 491 { 492 STATUS="STATUS: Message quarantined in $SECURITY_QUARANTINE, not delivered to recipient." 493 } 494 495 SECURITY_NOTIFY=${SECURITY_NOTIFY:-"postmaster"} 496 497 :0 498 * SECURITY_NOTIFY ?? [^ ] 499 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 500 { 501 LOG="${NL} NOTIFY $SECURITY_NOTIFY${NL}" 502 503 :0 h ci 504 | ( \ 505 echo "To: $SECURITY_NOTIFY";\ 506 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 507 echo 'Subject: SECURITY WARNING - possible email attack';\ 508 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 509 echo ;\ 510 echo 'Trapped excessively long header:' ;\ 511 echo "$HDR";\ 512 echo ;\ 513 echo "$STATUS";\ 514 echo ;\ 515 echo 'Headers from message:';\ 516 echo ;\ 517 sed -e 's/^/> /' ;\ 518 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 519 } 520 521 :0 522 * SECURITY_QUARANTINE ?? [^ ] 523 { 524 :0 :${SECURITY_QUARANTINE_LOCKFILE} 525 $SECURITY_QUARANTINE 526 527 :0 e 528 { 529 # Argh! Quarantine failed! 530 # notify administrator 531 LOG="${NL} ERR: QUARANTINE FAILED!${NL}" 532 533 # bounce it. 534 EXITCODE=65 535 536 :0 h 537 * SECURITY_NOTIFY ?? [^ ] 538 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 539 | ( \ 540 echo "To: $SECURITY_NOTIFY";\ 541 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 542 echo 'Subject: SECURITY WARNING - quarantine failed!';\ 543 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 544 echo ;\ 545 echo 'Attempt to quarantine the following message in $SECURITY_QUARANTINE failed.';\ 546 echo 'Message has been bounced.';\ 547 echo 'Verify file access permissions:';\ 548 ls -l $SECURITY_QUARANTINE 2>&1 ;\ 549 echo ;\ 550 echo 'Headers from message:';\ 551 echo ;\ 552 sed -e 's/^/> /' ;\ 553 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 554 555 } 556 } 557 558 # bounce it. 559 EXITCODE=65 560 561 # zap it. 562 :0 563 /dev/null 564 565 } 566 567 #--------------------------------------------------------------------------- 568 # Not all MIME can be sanitized... 569 # 570 :0 571 * ^Content-Type[ ]*:.*multipart/((signed)|(encrypted)); 572 * ! SECURITY_DEFANG_SIGNED ?? [^ ] 573 { 574 LOG=" WARN: Cannot sanitize message due to signing or encryption$SUBJ" 575 } 576 577 #--------------------------------------------------------------------------- 578 # Defang HTML active-content tags 579 # 580 # NB: In case you think the regexes should be /<[ ]*TAG/, I suggest 581 # you *try* such tags in your browser first... 582 # 583 # Unfortunately the "on*" (e.g. "onload=") syntax is such that we can't 584 # reliably look for /onload="/ - there may be whitespace around the =. 585 # This isn't intended to be a full HTML parser, so we'll err on the side of 586 # safety by defanging everything, even though it may be outside of an HTML 587 # context. 588 # 589 # This keeps getting uglier as more and more holes are discovered. 590 # 591 # This will be folded into a better sanitizer Real Soon Now... 592 # 593 594 :0 595 * 9876543210^1 ! ^Content-Type[ ]*:.*multipart/((signed)|(encrypted)); 596 * 9876543210^1 SECURITY_DEFANG_SIGNED ?? [^ ] 597 { 598 #----------- ALL OF THIS IS SKIPPED FOR SIGNED/ENCRYPTED MESSAGES 599 600 # "perl -e" has problems when run as root... 601 DROPPRIVS=YES 602 603 :0 604 * DEBUG_VERBOSE ?? [^ ] 605 { 606 VERBOSE=YES 607 } 608 609 :0 H 610 * [\015][^\012] 611 { 612 # this apparently happens a lot, so stop logging it 613 #LOG="Defanging bare CR in headers$SUBJ" 614 615 :0 fw h 616 | perl -p -e 's/\015/\012/g' 617 } 618 619 :0 B 620 * ! SECURITY_TRUST_HTML ?? [^ ] 621 * 9876543210^1 \<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|i?layer|link|form|input|table|th|td|xml) 622 * 9876543210^1 =(3d)?[ ]*["'](&{|([a-z]+script|mocha):) 623 { 624 625 LOG="Defanging active HTML content$SUBJ" 626 627 HAVE_UUE= 628 629 :0 B 630 * ^begin[ ]+([0-9]+)?[ ]+[^ ]+ 631 { 632 HAVE_UUE=YES 633 LOG=" UUE content, HTML defang suppression enabled.$NL" 634 } 635 636 :0 fw b 637 | perl -p -e ' #\ 638 unless ($ENV{"HAVE_UUE"} && /^M.{60}$/ ) { #\ 639 if (/ / && /["\047][^"\047\s]*&#x?[1-9][0-9a-f]/i) { #\ 640 while (/["\047][^"\047\s]*&#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2])(?![0-9]))/) { #\ 641 $char = chr($1); #\ 642 s/&#$1;?/$char/g; #\ 643 } #\ 644 while (/["\047][^"\047\s]*&#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i) { #\ 645 $char = chr(hex("0$1")); #\ 646 s/&#$1;?/$char/gi; #\ 647 } #\ 648 } #\ 649 if (/ / && /["\047][^"\047\s]*%[2-7][0-9a-f]/i) { #\ 650 while (/["\047][^"\047\s]*%((2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i) { #\ 651 $char = chr(hex("0x$1")); #\ 652 s/%$1/$char/gi; #\ 653 } #\ 654 } #\ 655 if (/<|%3c/) { #\ 656 s/(<|%3c)(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|LAYER|ILAYER|LINK|FORM|INPUT|XML)/$1DEFANGED_$2/gi; #\ 657 unless ($ENV{"SECURITY_TRUST_STYLE_TAGS"}) { #\ 658 s/<STYLE/  <\/DEFANGED_STYLE/gi; #\ 660 s/\sSTYLE\s*=/ DEFANGED_STYLE=/gi; #\ 661 } #\ 662 if ($ENV{"DEFANG_WEBBUGS"}) { #\ 663 s/<IMG/<DEFANGED_IMG/gi; #\ 664 s/<BGSOUND/<DEFANGED_BGSOUND/gi; #\ 665 if (/<(BODY|TABLE|TH|TD)\s/i) { #\ 666 s/\sBACKGROUND\s*=\s*/ DEFANGED_BACKGROUND=/gi; #\ 667 } #\ 668 } #\ 669 s/\sOn(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit|Unload|ContextMenu|DragStart)/ DEFANGED_On$1/gi; #\ 670 } #\ 671 s/^\s*On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit|Unload|ContextMenu|DragStart)/DEFANGED_On$1/gi; #\ 672 s/(["\047\075]|url\()([a-z]+script|mocha):/${1}DEFANGED_$2:/gi; #\ 673 s/(["\047\075])&{/${1}DEFANGED_&_{/g; #\ 674 } #\ 675 ' 676 } 677 678 #--------------------------------------------------------------------------- 679 # Mangle HTML and executable attachment filenames enough that they won't 680 # automatically execute, and limit the length of extremely long attachment 681 # filenames and MIME headers to prevent buffer overflows and client 682 # crashes (sigh). Adding ${$} to the mangling inserts a bit of randomness 683 # so that an active-HTML or BO exploit can't just look for an attachment 684 # named EXPLOIT.DEFANGED-EXE to get around the defanging. 685 # 686 # NOTE: the [ ] has a tab embedded in it - DO NOT remove it... 687 # 688 689 :0 690 * ! MANGLE_EXTENSIONS ?? [^ ] 691 { 692 MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]|reg|as[dfx]|c[ip]l|pps|wm[avszdf]|vcf|nws|wsz|\{[-0-9a-f]+\}' 693 } 694 695 696 # UUE attachments 697 :0 B 698 * ^begin[ ]+([0-9]+)?[ ]+[^ ]+ 699 { 700 :0 B 701 * ^begin[ ]+([0-9]+)?[ ]+\/[^ ]....................................................................................................+$ 702 { 703 LOG="Truncating extremely long attachment filename $MATCH$SUBJ" 704 705 :0 fw b 706 | perl -p -e 'if (/^begin\s+[0-9]*\s/i) { #\ 707 ($mode, $filen) = /^begin\s+([0-9]*)\s+(.{64}).*$/i; #\ 708 $mode = "644" unless $mode; #\ 709 s/^.*$/begin $mode $filen.../ if $filen; #\ 710 }' 711 } 712 713 :0 B 714 * $ ^begin[ ]+([0-9]+)?[ ]+.+\.(${MANGLE_EXTENSIONS})[ ]*$ 715 { 716 LOG="Sanitizing executable UUE attachments$SUBJ" 717 718 :0 fw b 719 | perl -p -e ' #\ 720 if ($stripped) { #\ 721 chomp; #\ 722 if (/^end$/i || /^\s*$/) { #\ 723 $stripped = 0; #\ 724 } #\ 725 $_ = ""; next; #\ 726 } #\ 727 if (($junk,$filen) = /^begin\s+([0-9]+\s+)?((\\.|[^"])+\.($ENV{"MANGLE_EXTENSIONS"}|\{[-0-9a-f]+\}))[\.\s]*$/io) { #\ 728 if ($specf = $ENV{"STRIPPED_EXECUTABLES"}) { #\ 729 if (open(STRIPPED,$specf)) { #\ 730 warn " Checking UUE \"$filen\" for stripping.\n"; #\ 731 while (chomp($stp_spec = <STRIPPED>)) { #\ 732 $stp_spec =~ s/^\s+//g; #\ 733 $stp_spec =~ s/\s.*$//g; #\ 734 next unless $stp_spec; #\ 735 $stp_spec =~ s/([^\\])\./$1\\./g; #\ 736 $stp_spec =~ s/\*/.*/g; #\ 737 $stp_spec =~ s/\?\?/?./g; #\ 738 $stp_spec =~ s/([^\(]|^)\?/$1./g; #\ 739 $stp_spec .= "\$" unless $stp_spec =~ /\$/; #\ 740 warn " Checking against \"$stp_spec\"\n" if $ENV{"DEBUG"}; #\ 741 if ($filen =~ /^${stp_spec}/i) { #\ 742 warn " Stripped UUE attachment \"$filen\".\n"; #\ 743 $stripped = 1; #\ 744 print "\n"; #\ 745 print "X-Content-Security: [" . $ENV{"HOST"} . "] REPORT: UUE attachment \"$filen\" stripped\n"; #\ 746 print "\n"; #\ 747 print $ENV{"STRIPPED_WARNING"}; #\ 748 print "Filename: $filen\n\n"; #\ 749 last; #\ 750 } #\ 751 } #\ 752 close(STRIPPED); #\ 753 if ($stripped) { #\ 754 $_ = <>; #\ 755 $_ = ""; next; #\ 756 } #\ 757 } else { #\ 758 warn " ERR: Unable to open stripped-executables file \"$specf\".\n"; #\ 759 } #\ 760 } #\ 761 if ($specf = $ENV{"POISONED_EXECUTABLES"}) { #\ 762 if (open(POISONED,$specf)) { #\ 763 warn " Checking UUE \"$filen\" for poisoning.\n"; #\ 764 while (chomp($psn_spec = <POISONED>)) { #\ 765 $psn_spec =~ s/^\s+//g; #\ 766 $psn_spec =~ s/\s.*$//g; #\ 767 next unless $psn_spec; #\ 768 $psn_spec =~ s/([^\\])\./$1\\./g; #\ 769 $psn_spec =~ s/\*/.*/g; #\ 770 $psn_spec =~ s/\?\?/?./g; #\ 771 $psn_spec =~ s/([^\(]|^)\?/$1./g; #\ 772 $psn_spec .= "\$" unless $psn_spec =~ /\$/; #\ 773 warn " Checking against \"$psn_spec\"\n" if $ENV{"DEBUG"}; #\ 774 if ($filen =~ /^${psn_spec}/i) { #\ 775 warn " Trapped poisoned attachment \"$filen\".\n"; #\ 776 print "X-Content-Security: [", $ENV{"HOST"}, "] NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 777 print "X-Content-Security: [", $ENV{"HOST"}, "] REPORT: Trapped poisoned attachment \"$filen\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 778 print "X-Content-Security: [", $ENV{"HOST"}, "] QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 779 print "\n"; #\ 780 print $ENV{"POISONED_WARNING"}; #\ 781 print "SUSPICIOUS ATTACHMENT: "; #\ 782 last; #\ 783 } #\ 784 } #\ 785 close(POISONED); #\ 786 } else { #\ 787 warn " ERR: Unable to open poisoned-executables file \"$specf\".\n"; #\ 788 } #\ 789 } #\ 790 warn " Mangling executable UUE filename \"$filen\".\n"; #\ 791 $filen =~ s/\.([-a-z0-9{}]+)$/.${$}DEFANGED-$1/i; #\ 792 print "begin 666 $filen\n"; #\ 793 $_ = ""; #\ 794 } #\ 795 ' 2>> $LOGFILE 796 } 797 } 798 799 # MIME attachments and general header sanitizing 800 :0 801 * !$ ^X-Content-Security: \[${HOST}\] (QUARANTINE|DISCARD) 802 * 9876543210^0 ^Content-Type[ ]*:.*(application|multipart)/[^ ]*[ ]*; 803 * 9876543210^0 ^Content-Type[ ]*:.*message/rfc822 804 * 9876543210^0 ^Content-Disposition[ ]*:.*attachment 805 { 806 LOG="Sanitizing MIME & attachments$SUBJ" 807 808 # Due to procmail not unwrapping MIME attachment headers, 809 # (they're in the message body) this perl script has to run against 810 # *every* message with MIME attachments to ensure security. Sorry. 811 812 # If you get "Out of memory" errors in your procmail log, try changing to 813 # the following: 814 # :0 fw 815 # | ulimit -d 15000; perl -p -e ' #\ 816 817 POISONED_SCORE=${POISONED_SCORE:-25} 818 ZIPPED_EXECUTABLES=${ZIPPED_EXECUTABLES:-"$POISONED_EXECUTABLES"} 819 820 :0 fw 821 | perl -p -e ' #\ 822 $pastmsghdr = 1 if /^\s*$/; #\ 823 $XCS = "X-Content-Security: [" . $ENV{"HOST"} . "]" unless $XCS; #\ 824 if ($pastmsghdr) { #\ 825 if (!$mimebdry && $mimebdrs[0]) { #\ 826 warn " Found no MIME boundary in msg attachment.\n" if $ENV{"DEBUG"}; #\ 827 $mimebdry = pop @mimebdrs; #\ 828 $newbdry = pop @newbdrs; #\ 829 $rawbdry = pop @rawbdrs; #\ 830 $bdrytoolong = pop @bdrstoolong; #\ 831 $gotbdry = pop @gotbdrs; #\ 832 $nullbdry = pop @nullbdrs; #\ 833 } #\ 834 $_ = "" if $strip_att && !$gotbdry; #\ 835 } else { #\ 836 if (($type,$format,$junk) = /^Content-Type\s*:\s.*(application|multipart|message)\/(\S+)\s*(;.*)?$/i) { #\ 837 $wanthdr = 1; #\ 838 print "X-Security: message sanitized on ", $ENV{"HOST"}, "\n"; #\ 839 print "\tSee http://www.impsec.org/email-tools/sanitizer-intro.html\n"; #\ 840 print "\tfor details. \$Revision: 1.151 $x\$Date: 2006-01-20 07:29:24-08 $x\n"; #\ 841 print "X-Security: The postmaster has not enabled quarantine of poisoned messages.\n" unless $ENV{"SECURITY_QUARANTINE"}; #\ 842 if ($type =~ /application/i) { #\ 843 $inmimehdr = 1; #\ 844 } elsif ($type =~ /message/i && $format =~ /rfc822/i) { #\ 845 $rcrsmsg = $inmimehdr = 1; #\ 846 } #\ 847 } elsif (/^\S/) { #\ 848 $wanthdr = 0; #\ 849 } #\ 850 if ($wanthdr) { #\ 851 if (($mimebdry) = /boundary\s*=\s*(("")|("[^"]+")|([^"]\S+)|$)/i) { #\ 852 $mimebdry =~ s/(^"|"$)//g; #\ 853 $rawbdry = $mimebdry; #\ 854 $gotbdry = 1; #\ 855 $wanthdr = 0; #\ 856 $bdrytoolong = $nullbdry = 0; #\ 857 if ($bdrytoolong = (length($mimebdry) > 80)) { #\ 858 warn " Truncating long MIME boundary string.\n"; #\ 859 $newbdry = substr($mimebdry,0,64); #\ 860 $mimebdry = quotemeta($mimebdry); #\ 861 s/${mimebdry}/${newbdry}/; #\ 862 $rawbdry =~ s/${mimebdry}/${newbdry}/; #\ 863 } elsif ($nullbdry = (length($mimebdry) < 1)) { #\ 864 warn " Replacing null MIME boundary string.\n"; #\ 865 $newbdry = "==NULL_MIME_BOUNDARY_ATTACK_SANITIZED-${$}=="; #\ 866 s/boundary\s*=\s*(""|$)/boundary="${newbdry}"/i; #\ 867 } else { #\ 868 $newbdry = $mimebdry; #\ 869 $mimebdry = quotemeta($mimebdry); #\ 870 } #\ 871 } #\ 872 } #\ 873 } #\ 874 if ($mimebdry || ($gotbdry && $nullbdry) || $inmimehdr) { #\ 875 if (/^\s*$/) { #\ 876 $inmimehdr = 0; #\ 877 if ($rcrsmsg) { #\ 878 push @mimebdrs, $mimebdry; #\ 879 push @newbdrs, $newbdry; #\ 880 push @rawbdrs, $rawbdry; #\ 881 push @bdrstoolong, $bdrytoolong; #\ 882 push @gotbdrs, $gotbdry; #\ 883 push @nullbdrs, $nullbdry; #\ 884 $mimebdry = $newbdry = ""; #\ 885 $rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0; #\ 886 } #\ 887 } elsif (/^--${mimebdry}(--)?$/) { #\ 888 $mend = $1; #\ 889 s/${mimebdry}/${newbdry}/ if $bdrytoolong; #\ 890 s/^--/--${newbdry}${mend}/ if $nullbdry; #\ 891 if ($mend) { #\ 892 if ($mimebdrs[0]) { #\ 893 $mimebdry = pop @mimebdrs; #\ 894 $newbdry = pop @newbdrs; #\ 895 $rawbdry = pop @rawbdrs; #\ 896 $bdrytoolong = pop @bdrstoolong; #\ 897 $gotbdry = pop @gotbdrs; #\ 898 $nullbdry = pop @nullbdrs; #\ 899 } #\ 900 } else { #\ 901 $inmimehdr = 1; #\ 902 $rcrsmsg = $strip_att = $check_att = 0; #\ 903 } #\ 904 } elsif (!$inmimehdr && $strip_att) { #\ 905 $_ = ""; #\ 906 } elsif (!$inmimehdr && $check_att && !$base64) { #\ 907 warn " Not base64, not scanning\n"; #\ 908 $base64 = $check_att = 0; #\ 909 } elsif (!$inmimehdr && $check_att) { #\ 910 $ATTCH = $destf = $rarh = $ziph = ""; #\ 911 $SIG{PIPE} = 'IGNORE'; #\ 912 if ($ENV{"USE_CPAN"}) { #\ 913 push @INC, $ENV{"PVT_CPAN"} if $ENV{"PVT_CPAN"}; #\ 914 eval "use MIME::Base64; use File::MkTemp;"; die $@ if $@; #\ 915 if (($ATTCH,$destf) = mkstempt("mailchk.XXXXXX","/tmp")) { #\ 916 $destf = "/tmp/$destf"; #\ 917 } else { #\ 918 warn " ERR: mkstempt failed\n"; #\ 919 $ATTCH = $destf = ""; #\ 920 } #\ 921 } else { #\ 922 if (!chomp($destf = `mktemp /tmp/mailchk.XXXXXX`)) { #\ 923 warn " ERR: mktemp failed\n"; #\ 924 $ATTCH = $destf = ""; #\ 925 } else { #\ 926 if (open(ATTCH,"|mimencode -u -o $destf")) { #\ 927 $ATTCH = ATTCH; #\ 928 } else { #\ 929 warn " ERR: mimencode failed: $@\n"; #\ 930 unlink($destf); #\ 931 $ATTCH = $destf = ""; #\ 932 } #\ 933 } #\ 934 } #\ 935 if ($ATTCH && $destf) { #\ 936 warn " Decoding to \"$destf\"\n"; #\ 937 do { #\ 938 print $_; #\ 939 if (length($_) > 3) { #\ 940 if ($ENV{"USE_CPAN"}) { #\ 941 $de = decode_base64($_); #\ 942 print $ATTCH $de || die $@; #\ 943 $rarh = $ziph = $de unless $ziph; #\ 944 } else { #\ 945 print $ATTCH $_ || die $@; #\ 946 } #\ 947 } else { #\ 948 $rarh = $ziph = "XXX" if length($_) > 1; #\ 949 } #\ 950 $_ = <>; #\ 951 $lastline = $_; #\ 952 } until (/^--${mimebdry}(--)?$/ || ($mimebdrs[0] && /^--${mimebdrs[0]}(--)?$/) || !$_ ); #\ 953 if (close($ATTCH)) { #\ 954 # Run virus-checker against $destf here. #\ 955 } else { #\ 956 warn " ERR: decode failed! mimencode?\n"; #\ 957 $check_att = 0; #\ 958 } #\ 959 if ($check_att == 3) { #\ 960 warn " Scanning image\n"; #\ 961 $wmf = $jpegbo = 0; #\ 962 if ($ENV{"SECURITY_POISON_WMF"} && (`/usr/bin/od -N 4 -t x $destf` =~ /9ac6cdd7/i)) { #\ 963 $wmf = 1; #\ 964 warn " Poisoned WMF\n"; #\ 965 } elsif (open(JPEGI,"rdjpgcom $destf 2>&1 |")) { #\ 966 while (<JPEGI>) { #\ 967 warn "djpeg: $_" if $ENV{"DEBUG_VERBOSE"}; #\ 968 if (/Erroneous JPEG marker length/i) { #\ 969 $jpegbo = $_; last; #\ 970 } #\ 971 } #\ 972 close(JPEGI); #\ 973 } #\ 974 if ($jpegbo || $wmf) { #\ 975 print "\n\n--$newbdry\n"; #\ 976 print "Content-Type: TEXT/PLAIN;\n"; #\ 977 print "Content-Description: SECURITY WARNING\n"; #\ 978 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 979 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 980 } #\ 981 if ($jpegbo) { #\ 982 warn " JPEG BO?\n"; #\ 983 print "$XCS REPORT: Trapped possible JPEG attack: $jpegbo" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 984 print "\n"; #\ 985 print $ENV{"BAD_JPEG_WARNING"}; #\ 986 } #\ 987 if ($wmf) { #\ 988 print "$XCS REPORT: Trapped possible WMF attack." if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 989 print "\n"; #\ 990 print $ENV{"WMF_WARNING"}; #\ 991 } #\ 992 } elsif (($check_att == 2 || $check_att == 4) && ($specf = $ENV{"ZIPPED_EXECUTABLES"})) { #\ 993 if ($check_att == 2) { #\ 994 $rarh = "Rar"; #\ 995 warn " Scanning ZIP\n" if $ENV{"DEBUG"}; #\ 996 unless ($ENV{"USE_CPAN"} || $ziph) { #\ 997 if (open(ATTCH,"<$destf")) { #\ 998 $ziph = <ATTCH>; #\ 999 close(ATTCH); #\ 1000 } else { #\ 1001 warn " ERR: decode failed\n"; #\ 1002 $ziph = "PK\003\004"; #\ 1003 } #\ 1004 } #\ 1005 } elsif ($check_att == 4) { #\ 1006 $ziph = "PK\003\004"; #\ 1007 warn " Scanning RAR\n" if $ENV{"DEBUG"}; #\ 1008 unless ($rarh) { #\ 1009 if (open(ATTCH,"<$destf")) { #\ 1010 $rarh = <ATTCH>; #\ 1011 close(ATTCH); #\ 1012 } else { #\ 1013 warn " ERR: decode failed\n"; #\ 1014 $rarh = "Rar"; #\ 1015 } #\ 1016 } #\ 1017 } #\ 1018 if ($ziph !~ /^(?:PK00)?PK\003\004/ || $rarh !~ /^Rar/) { #\ 1019 if ($ziph eq "XXX") { #\ 1020 warn " Hostile BASE64\n"; #\ 1021 } else { #\ 1022 warn " ZIP/RAR magic not found\n"; #\ 1023 } #\ 1024 print "\n\n--$newbdry\n"; #\ 1025 print "Content-Type: TEXT/PLAIN;\n"; #\ 1026 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1027 if ($ziph eq "XXX") { #\ 1028 print "$XCS REPORT: Trapped ZIP/RAR file \"$zfilen\" with hostile base64 encoding\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1029 } else { #\ 1030 print "$XCS REPORT: Trapped bogus ZIP/RAR file \"$zfilen\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1031 } #\ 1032 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 1033 print "Content-Description: SECURITY WARNING\n\n"; #\ 1034 if ($ziph eq "XXX") { #\ 1035 print $ENV{"BAD_BASE64_WARNING"}; #\ 1036 } else { #\ 1037 if ($check_att == 2) { #\ 1038 print $ENV{"ZIP_MAGIC_WARNING"}; #\ 1039 } elsif ($check_att == 4) { #\ 1040 print $ENV{"RAR_MAGIC_WARNING"}; #\ 1041 } #\ 1042 } #\ 1043 } elsif (open(ZIPPOL,$specf)) { #\ 1044 %zipf = (); #\ 1045 if ($check_att == 2) { #\ 1046 if (open(ZIPL,"unzip -l $destf |")) { #\ 1047 while (<ZIPL>) { #\ 1048 if (($filen) = /^\s+\d+\s+\S+\s+\S+\s+(.+)$/) { #\ 1049 warn "$filen\n" if $ENV{"DEBUG"}; #\ 1050 $zipf{$filen} = 1; #\ 1051 } #\ 1052 } #\ 1053 warn " ERR: scan failed! unzip?\n" unless close(ZIPL); #\ 1054 if (open(ZIPL,"unzip -t -P _virus_$$ $destf 2>&1 |")) { #\ 1055 while (<ZIPL>) { #\ 1056 if (($junk,$filen) = /(skipp|test)ing:\s+(\S.+\.\w+)\W*\s+($|incorrect)/i) { #\ 1057 $zipf{$filen} = 1; #\ 1058 } #\ 1059 } #\ 1060 close(ZIPL); #\ 1061 } #\ 1062 } #\ 1063 } elsif ($check_att == 4) { #\ 1064 if (open(RARL,"unrar v $destf |")) { #\ 1065 while (<RARL>) { #\ 1066 if (($filen) = /^[\s*](?:[^\/]+\/)*(\S.*\..+)$/) { #\ 1067 warn "$filen\n" if $ENV{"DEBUG"}; #\ 1068 $zipf{$filen} = 1; #\ 1069 } #\ 1070 } #\ 1071 warn " ERR: scan failed! unrar?\n" unless close(RARL); #\ 1072 } #\ 1073 } #\ 1074 $filel = ""; #\ 1075 foreach $filen (keys %zipf) { #\ 1076 $fn = $filen; $fn =~ s/\s{10,}/ (many spaces) /; #\ 1077 warn " Checking archived \"$fn\"\n"; #\ 1078 seek(ZIPPOL,0,0); #\ 1079 while (chomp($pol_spec = <ZIPPOL>)) { #\ 1080 $pol_spec =~ s/^\s+//g; #\ 1081 $pol_spec =~ s/\s.*$//g; #\ 1082 next unless $pol_spec; #\ 1083 $pol_spec =~ s/([^\\])\./$1\\./g; #\ 1084 $pol_spec =~ s/\*/.*/g; #\ 1085 $pol_spec =~ s/\?\?/?./g; #\ 1086 $pol_spec =~ s/([^\(]|^)\?/$1./g; #\ 1087 warn " Checking against \"$pol_spec\"\n" if $ENV{"DEBUG"}; #\ 1088 if ($filen =~ /^${pol_spec}$/i) { #\ 1089 warn " Trapped archived \"$fn\".\n"; #\ 1090 if (!$poisoned) { #\ 1091 print "\n\n--$newbdry\n"; #\ 1092 print "Content-Type: TEXT/PLAIN;\n"; #\ 1093 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1094 print "$XCS REPORT: Scanned attachment \"$zfilen\"\n$XCS REPORT: Trapped suspicious archived files:\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1095 $poisoned = 1; #\ 1096 } #\ 1097 print "$XCS REPORT: $fn\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1098 $filel .= " $fn\n"; #\ 1099 last; #\ 1100 } #\ 1101 } #\ 1102 } #\ 1103 if ($poisoned) { #\ 1104 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 1105 print "Content-Description: SECURITY WARNING\n\n"; #\ 1106 if ($check_att == 2) { #\ 1107 print $ENV{"ZIPPED_WARNING"}; #\ 1108 } elsif ($check_att == 4) { #\ 1109 print $ENV{"RARRED_WARNING"}; #\ 1110 } #\ 1111 print "$filel\n"; #\ 1112 } #\ 1113 } else { #\ 1114 warn " ERR: Unable to open ZIP/RAR list \"$specf\".\n"; #\ 1115 } #\ 1116 } #\ 1117 unlink($destf); #\ 1118 if ($lastline =~ /^--${mimebdry}(--)?$/) { #\ 1119 $mend = $1; #\ 1120 $lastline =~ s/${mimebdry}/${newbdry}/ if $bdrytoolong; #\ 1121 s/^--/--${newbdry}${mend}/ if $nullbdry; #\ 1122 if ($mend) { #\ 1123 if ($mimebdrs[0]) { #\ 1124 $mimebdry = pop @mimebdrs; #\ 1125 $newbdry = pop @newbdrs; #\ 1126 $rawbdry = pop @rawbdrs; #\ 1127 $bdrytoolong = pop @bdrstoolong; #\ 1128 $gotbdry = pop @gotbdrs; #\ 1129 $nullbdry = pop @nullbdrs; #\ 1130 } #\ 1131 } else { #\ 1132 $inmimehdr = 1; #\ 1133 } #\ 1134 } #\ 1135 print $lastline; $_ = ""; #\ 1136 } #\ 1137 $check_att = 0; #\ 1138 } #\ 1139 if ($inmimehdr || $hdrcnt) { #\ 1140 if (/^(\s+\S|(file)?name)/) { #\ 1141 s/^\s*/ /; #\ 1142 s/^\s*// if $hdrtxt =~ /"[^"]*[^;]$/; #\ 1143 s/\s*\n$//; #\ 1144 $hdrtxt .= $_; #\ 1145 $_ = ""; #\ 1146 } else { #\ 1147 if ($hdrtxt) { #\ 1148 $hdrtxt =~ s/([^\\])\\"/\1\\ÿ/g; #\ 1149 if ($hdrtxt =~ /`\s*`/) { #\ 1150 warn " Fixing double backquotes.\n"; #\ 1151 $hdrtxt =~ s/`\s*`/\\"/g; #\ 1152 } #\ 1153 if ($hdrtxt =~ /^[-\w]+\s*:.*name\s*=\s*"[^"]+$/i) { #\ 1154 warn " Fixing missing close quote on filename.\n"; #\ 1155 $hdrtxt .= "\""; #\ 1156 } #\ 1157 while (($hdr, $val) = $hdrtxt =~ /^([-\w]+)\s*:.*\s(\S+)\s*=\s*""/i) { #\ 1158 warn " Null $val in $hdr header.\n"; #\ 1159 $sval = quotemeta($val); #\ 1160 $hdrtxt =~ s/\s$sval\s*=\s*""/ X-$val="{null value sanitized}"/; #\ 1161 } #\ 1162 unless ($ENV{"SECURITY_DISABLE_OUTLOOK_HACKS"}) { #\ 1163 while (($hdr,$filen) = $hdrtxt =~ /^(Content-Description)\s*:\s*text\s+from\s+file\s+\047([^\047]+)\047/i) { #\ 1164 warn " Fixing file name \"$filen\" in ${hdr}:\n"; #\ 1165 $newfilen = $filen; $filen = quotemeta($filen); #\ 1166 $hdrtxt =~ s/\s+\047${filen}\047/, filename="${newfilen}"/ig; #\ 1167 } #\ 1168 } #\ 1169 while (($junk,$filen,$junk) = $hdrtxt =~ /^Content-[-\w]+\s*:[^"]*("[^"]*"[^"]+)*name\s*=\s*([^"\s]([^;]|;(?!\s))+)/i) { #\ 1170 warn " Fixing unquoted filename \"$filen\".\n"; #\ 1171 $newfilen = $filen; $filen = quotemeta($filen); #\ 1172 if ($newfilen =~ /\.[a-z0-9]+"[a-z0-9"]+[\.\s]*$/i) { #\ 1173 warn " Defanging quotes-in-extension attack.\n"; #\ 1174 while ($newfilen =~ /\.[a-z0-9]+"[a-z0-9"]+[\.\s]*$/i) { #\ 1175 $newfilen =~ s/\.([a-z0-9]+)"([a-z0-9"]+)[\.\s]*$/.$1$2/i; #\ 1176 } #\ 1177 } #\ 1178 $newfilen =~ s/\"/\\"/g; #\ 1179 if ($newfilen =~ /$[^)]*$/) { #\ 1180 warn " Removing embedded RFC822 comments.\n"; #\ 1181 $newfilen =~ s/$[^)]*$//g; #\ 1182 } #\ 1183 $hdrtxt =~ s/name\s*=\s*${filen}/name="$newfilen"/ig; #\ 1184 } #\ 1185 while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"(=\?[^"]+\?Q\?[^"]+=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])[^"]+\?=)"/i) { #\ 1186 warn " Fixing encoded plain characters in \"$filen\".\n"; #\ 1187 $newfilen = $filen; $filen = quotemeta($filen); #\ 1188 while ($newfilen =~ /=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])/i) { #\ 1189 $char = chr(hex("0x$1")); #\ 1190 $newfilen =~ s/=$1/$char/gi; #\ 1191 } #\ 1192 $hdrtxt =~ s/name\s*=\s*"${filen}"/name="$newfilen"/ig; #\ 1193 } #\ 1194 while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]+)[\.\s]+"/i) { #\ 1195 warn " Fixing trailing spaces/periods in filename.\n"; #\ 1196 $newfilen = $filen; $filen = quotemeta($filen); #\ 1197 $hdrtxt =~ s/name\s*=\s*"${filen}[\.\s]+"/name="$newfilen"/ig; #\ 1198 } #\ 1199 while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]{128,})"/i) { #\ 1200 warn " Shortening long filename \"$filen\".\n"; #\ 1201 $filen =~ s/\s+/ /g; #\ 1202 substr ($filen,64,32) = "..." while (length($filen) > 120); #\ 1203 $hdrtxt =~ s/name\s*=\s*"[^"]{120,}"/name="$filen"/i; #\ 1204 $mangle_mime_type = 1; #\ 1205 warn " Filename now \"$filen\".\n"; #\ 1206 } #\ 1207 if (($mtype) = $hdrtxt =~ /^Content-Type:\s+([a-z0-9-_]+\/[a-z0-9-_]+)/i) { #\ 1208 warn " MIME body part type \"$mtype\".\n" if $ENV{"DEBUG"}; #\ 1209 unless ($mtype =~ /^(multipart|text|message)\//i) { #\ 1210 unless ($hdrtxt =~ /name\s*=\s*"/i) { #\ 1211 $dfrhdr .= "$hdrtxt\n"; $hdrtxt = ""; #\ 1212 } #\ 1213 } #\ 1214 if ($mtype =~ /^application\/x-ms-?download/i && ! ($ENV{"SECURITY_TRUST_MS_DOWNLOAD"} || $poisoned)) { #\ 1215 warn " Trapped poisoned $mtype\n"; #\ 1216 $poisoned = 1; $check_att = 0; #\ 1217 print "Content-Type: TEXT/PLAIN;\n"; #\ 1218 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1219 print "$XCS REPORT: Trapped poisoned $mtype attachment\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1220 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 1221 print "Content-Description: SECURITY WARNING\n\n"; #\ 1222 print $ENV{"POISONED_WARNING"}; #\ 1223 print "Scanner score: 0 (poisoned by MIME type, scan skipped)\n\n"; #\ 1224 } #\ 1225 if ($mtype =~ /^application\/x(-zip)?-compress(ed)?/i) { #\ 1226 $check_att = 2 unless $ENV{"DISABLE_ZIP_SCAN"} || $poisoned; #\ 1227 } #\ 1228 if ($mtype =~ /^image\//i) { #\ 1229 $check_att = 3 unless $ENV{"DISABLE_JPEG_SCAN"} || $poisoned; #\ 1230 } #\ 1231 } #\ 1232 if ($hdrtxt =~ /^Content-Transfer-Encoding\s*:/i) { #\ 1233 $base64 = ($hdrtxt =~ /:\s+base64/i); #\ 1234 $dfrhdr .= "$hdrtxt\n"; $hdrtxt = ""; #\ 1235 } #\ 1236 if ($hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]*\.(p?jp[eg]+|bmp|gif|png|wmf)(\?=)?)"/i) { #\ 1237 $check_att = 3 unless $ENV{"DISABLE_JPEG_SCAN"} || $poisoned; #\ 1238 } #\ 1239 if (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]*\.(do[ct]|xl[swt]|p[po]t|rtf|pps|zip|rar)(\?=)?)"/i) { #\ 1240 $fn = $filen; $fn =~ s/\s{10,}/ (many spaces) /; #\ 1241 $stripped = 0; #\ 1242 if ($filen =~ /\.rar(\?=)?$/i) { #\ 1243 $typ = "RAR archive"; #\ 1244 $check_att = 4 unless $ENV{"DISABLE_RAR_SCAN"} || $poisoned; #\ 1245 $zfilen = $filen; #\ 1246 } elsif ($filen =~ /\.zip(\?=)?$/i) { #\ 1247 $typ = "ZIP archive"; #\ 1248 $check_att = 2 unless $ENV{"DISABLE_ZIP_SCAN"} || $poisoned; #\ 1249 $zfilen = $filen; #\ 1250 } else { #\ 1251 $typ = "Office document"; #\ 1252 $check_att = 1 unless $ENV{"DISABLE_MACRO_CHECK"} || $poisoned; #\ 1253 } #\ 1254 if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"})) { #\ 1255 if (open(STRIPPED,$specf)) { #\ 1256 warn " Checking $typ \"$fn\" for stripping.\n"; #\ 1257 while (chomp($stp_spec = <STRIPPED>)) { #\ 1258 $stp_spec =~ s/^\s+//g; #\ 1259 $stp_spec =~ s/\s.*$//g; #\ 1260 next unless $stp_spec; #\ 1261 $stp_spec =~ s/([^\\])\./$1\\./g; #\ 1262 $stp_spec =~ s/\*/.*/g; #\ 1263 $stp_spec =~ s/\?\?/?./g; #\ 1264 $stp_spec =~ s/([^\(]|^)\?/$1./g; #\ 1265 $stp_spec .= "(\\?=)?\$" unless $stp_spec =~ /\$/; #\ 1266 warn " Checking against \"$stp_spec\"\n" if $ENV{"DEBUG"}; #\ 1267 if ($filen =~ /^${stp_spec}/i) { #\ 1268 warn " Stripped $typ \"$fn\".\n"; #\ 1269 print "Content-Type: TEXT/PLAIN;\n"; #\ 1270 print "$XCS REPORT: $typ attachment \"$fn\" stripped\n"; #\ 1271 print "Content-Description: SECURITY NOTICE\n\n"; #\ 1272 print $ENV{"STRIPPED_WARNING"}; #\ 1273 print "Filename: $fn\n\n"; #\ 1274 print "More headers follow:\n\n" unless $pastmsghdr; #\ 1275 $_ = $dfrhdr = $hdrtxt = ""; #\ 1276 $stripped = $strip_att = 1; #\ 1277 $check_att = $inmimehdr = 0; #\ 1278 last; #\ 1279 } #\ 1280 } #\ 1281 close(STRIPPED); #\ 1282 } else { #\ 1283 warn " ERR: Unable to open strip list \"$specf\".\n"; #\ 1284 } #\ 1285 } #\ 1286 if (!$poisoned && !$stripped && ($specf = $ENV{"POISONED_EXECUTABLES"})) { #\ 1287 if (open(POISONED,$specf)) { #\ 1288 warn " Checking $typ \"$fn\" for poisoning.\n"; #\ 1289 while (chomp($psn_spec = <POISONED>)) { #\ 1290 $psn_spec =~ s/^\s+//g; #\ 1291 $psn_spec =~ s/\s.*$//g; #\ 1292 next unless $psn_spec; #\ 1293 $psn_spec =~ s/([^\\])\./$1\\./g; #\ 1294 $psn_spec =~ s/\*/.*/g; #\ 1295 $psn_spec =~ s/\?\?/?./g; #\ 1296 $psn_spec =~ s/([^\(]|^)\?/$1./g; #\ 1297 $psn_spec .= "(\\?=)?\$" unless $psn_spec =~ /\$/; #\ 1298 warn " Checking against \"$psn_spec\"\n" if $ENV{"DEBUG"}; #\ 1299 if ($filen =~ /^${psn_spec}/i) { #\ 1300 warn " Trapped poisoned $typ \"$fn\".\n"; #\ 1301 $poisoned = 1; $check_att = 0; #\ 1302 print "Content-Type: TEXT/PLAIN;\n"; #\ 1303 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1304 print "$XCS REPORT: Trapped poisoned $typ attachment \"$fn\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1305 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 1306 print "Content-Description: SECURITY WARNING\n\n"; #\ 1307 print $ENV{"POISONED_WARNING"}; #\ 1308 print "Scanner score: 0 (poisoned by name, scan skipped)\n\n"; #\ 1309 last; #\ 1310 } #\ 1311 } #\ 1312 close(POISONED); #\ 1313 } else { #\ 1314 warn " ERR: Unable to open poison list \"$specf\".\n"; #\ 1315 } #\ 1316 } #\ 1317 } #\ 1318 if (($bndry) = $hdrtxt =~ /^Content-Type:\s+multipart\/.*\s+boundary\s*=\s*"?([^"]+)"?/i) { #\ 1319 push @mimebdrs, $mimebdry; #\ 1320 push @newbdrs, $newbdry; #\ 1321 push @rawbdrs, $rawbdry; #\ 1322 push @bdrstoolong, $bdrytoolong; #\ 1323 push @gotbdrs, $gotbdry; #\ 1324 push @nullbdrs, $nullbdry; #\ 1325 $mimebdry = $newbdry = $bndry; #\ 1326 $mimebdry = quotemeta($mimebdry); #\ 1327 $rcrsmsg = $bdrytoolong = $gotbdry = 0; #\ 1328 } #\ 1329 if ($hdrtxt =~ /^Content-Type:\s+message\/rfc822/i) { #\ 1330 if (!$inmimehdr) { #\ 1331 push @mimebdrs, $mimebdry; #\ 1332 push @newbdrs, $newbdry; #\ 1333 push @rawbdrs, $rawbdry; #\ 1334 push @bdrstoolong, $bdrytoolong; #\ 1335 push @gotbdrs, $gotbdry; #\ 1336 push @nullbdrs, $nullbdry; #\ 1337 $mimebdry = $newbdry = ""; #\ 1338 $rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0; #\ 1339 } else { #\ 1340 $rcrsmsg = 1; #\ 1341 } #\ 1342 } #\ 1343 if ($ENV{"SECURITY_STRIP_MSTNEF"} && $hdrtxt =~ /^Content-Type:\s+application\/MS-TNEF/i) { #\ 1344 print "Content-Type: TEXT/PLAIN;\n"; #\ 1345 print "$XCS REPORT: Stripped MS-TNEF attachment\n"; #\ 1346 print "Content-Description: SECURITY NOTICE\n\n"; #\ 1347 print $ENV{"TNEF_WARNING"}; #\ 1348 $_ = $dfrhdr = $hdrtxt = ""; #\ 1349 $strip_att = 1; #\ 1350 $inmimehdr = 0; #\ 1351 } #\ 1352 while (($filen) = $hdrtxt =~ /^Content-[-\w]+\s*:.*name\s*=\s*"([^"]*\.($ENV{"MANGLE_EXTENSIONS"})(\?=)?)"/io) { #\ 1353 $fn = $filen; $fn =~ s/\s{10,}/ (many spaces) /; #\ 1354 $stripped = 0; #\ 1355 if (!$poisoned && ($specf = $ENV{"STRIPPED_EXECUTABLES"})) { #\ 1356 if (open(STRIPPED,$specf)) { #\ 1357 warn " Checking \"$fn\" for stripping.\n"; #\ 1358 while (chomp($stp_spec = <STRIPPED>)) { #\ 1359 $stp_spec =~ s/^\s+//g; #\ 1360 $stp_spec =~ s/\s.*$//g; #\ 1361 next unless $stp_spec; #\ 1362 $stp_spec =~ s/([^\\])\./$1\\./g; #\ 1363 $stp_spec =~ s/\*/.*/g; #\ 1364 $stp_spec =~ s/\?\?/?./g; #\ 1365 $stp_spec =~ s/([^\(]|^)\?/$1./g; #\ 1366 $stp_spec .= "(\\?=)?\$" unless $stp_spec =~ /\$/; #\ 1367 warn " Checking against \"$stp_spec\"\n" if $ENV{"DEBUG"}; #\ 1368 if ($filen =~ /^${stp_spec}/i) { #\ 1369 warn " Stripped executable \"$fn\".\n"; #\ 1370 print "Content-Type: TEXT/PLAIN;\n"; #\ 1371 print "$XCS REPORT: Attachment \"$fn\" stripped\n"; #\ 1372 print "Content-Description: SECURITY NOTICE\n\n"; #\ 1373 print $ENV{"STRIPPED_WARNING"}; #\ 1374 print "Filename: $fn\n\n"; #\ 1375 print "More headers follow:\n\n" unless $pastmsghdr; #\ 1376 $_ = $dfrhdr = $hdrtxt = ""; #\ 1377 $strip_att = $stripped = 1; #\ 1378 $inmimehdr = $check_att = 0; #\ 1379 last; #\ 1380 } #\ 1381 } #\ 1382 close(STRIPPED); #\ 1383 } else { #\ 1384 warn " ERR: Unable to open stripped-executables file \"$specf\".\n"; #\ 1385 } #\ 1386 } #\ 1387 if (!$poisoned && !$stripped && ($specf = $ENV{"POISONED_EXECUTABLES"})) { #\ 1388 if (open(POISONED,$specf)) { #\ 1389 warn " Checking \"$fn\" for poisoning.\n"; #\ 1390 while (chomp($psn_spec = <POISONED>)) { #\ 1391 $psn_spec =~ s/^\s+//g; #\ 1392 $psn_spec =~ s/\s.*$//g; #\ 1393 next unless $psn_spec; #\ 1394 $psn_spec =~ s/([^\\])\./$1\\./g; #\ 1395 $psn_spec =~ s/\*/.*/g; #\ 1396 $psn_spec =~ s/\?\?/?./g; #\ 1397 $psn_spec =~ s/([^\(]|^)\?/$1./g; #\ 1398 $psn_spec .= "(\\?=)?\$" unless $psn_spec =~ /\$/; #\ 1399 warn " Checking against \"$psn_spec\"\n" if $ENV{"DEBUG"}; #\ 1400 if ($filen =~ /^${psn_spec}/i) { #\ 1401 warn " Trapped poisoned executable \"$fn\".\n"; #\ 1402 $poisoned = 1; $check_att = 0; #\ 1403 print "Content-Type: TEXT/PLAIN;\n"; #\ 1404 print "$XCS NOTIFY\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1405 print "$XCS REPORT: Trapped poisoned executable \"$fn\"\n" if $ENV{"SECURITY_NOTIFY"} || $ENV{"SECURITY_NOTIFY_VERBOSE"}; #\ 1406 print "$XCS QUARANTINE\n" if $ENV{"SECURITY_QUARANTINE"}; #\ 1407 print "Content-Description: SECURITY WARNING\n\n"; #\ 1408 print $ENV{"POISONED_WARNING"}; #\ 1409 last; #\ 1410 } #\ 1411 } #\ 1412 close(POISONED); #\ 1413 } else { #\ 1414 warn " ERR: Unable to open poisoned-executables file \"$specf\".\n"; #\ 1415 } #\ 1416 } #\ 1417 unless ($stripped) { #\ 1418 warn " Mangling executable filename \"$fn\".\n"; #\ 1419 $newfilen = $filen; $filen = quotemeta($filen); #\ 1420 $newfilen =~ s/\.([-a-z0-9{}]+(\?=)?)$/.${$}DEFANGED-$1/i; #\ 1421 $hdrtxt =~ s/name\s*=\s*"?${filen}"?/name="$newfilen"/ig; #\ 1422 $mangle_mime_type = 1; #\ 1423 } #\ 1424 } #\ 1425 if ($mangle_mime_type && $hdrtxt =~ /^Content-Type:\s/i) { #\ 1426 ($oct) = $hdrtxt =~ /^Content-Type:.*\s(\S+\/\S+;?)/i; #\ 1427 warn " Mangling MIME type \"$oct\".\n"; #\ 1428 unless ($oct =~ /text\/plain;/i) { #\ 1429 print "$XCS original Content-Type was $oct\n"; #\ 1430 $oct = quotemeta($oct); #\ 1431 $hdrtxt =~ s/${oct}/APPLICATION\/DEFANGED;/i; #\ 1432 } #\ 1433 } #\ 1434 if ($mangle_mime_type && $hdrtxt =~ /\sx-mac-\S+/i) { #\ 1435 $eudora = ""; #\ 1436 while (($eh) = $hdrtxt =~ /(\sx-mac-\S+\s*=\s*\S+;?)/i) { #\ 1437 $eudora .= $eh; #\ 1438 $eh = quotemeta($eh); #\ 1439 $hdrtxt =~ s/${eh}//i; #\ 1440 } #\ 1441 print "$XCS removed$eudora\n"; #\ 1442 } #\ 1443 if (($junk) = $hdrtxt =~ /^Content-Type\s*:\s+(.{128}).{100,}$/i) { #\ 1444 warn " Truncating long Content-Type header.\n"; #\ 1445 $junk =~ s/"/\\"/g; #\ 1446 $hdrtxt = "Content-Type: X-BOGUS\/X-BOGUS; originally=\"$junk...\""; #\ 1447 } elsif (($junk) = $hdrtxt =~ /^Content-Description\s*:\s+(.{128}).{100,}$/i) { #\ 1448 warn " Truncating long Content-Description header.\n"; #\ 1449 $hdrtxt = "Content-Description: $junk..."; #\ 1450 } elsif (($junk) = $hdrtxt =~ /^Content-[-\w]+\s*:\s+(.{128}).{100,}$/i) { #\ 1451 warn " Truncating long MIME header.\n"; #\ 1452 $junk =~ s/"/\\"/g; #\ 1453 $hdrtxt =~ s/^Content-([-\w]+)\s*:.*$/X-Overflow: Content-$1; originally="$junk..."/i; #\ 1454 } #\ 1455 $hdrtxt =~ s/\\ÿ/\\"/g; #\ 1456 print "$hdrtxt\n" if $hdrtxt; #\ 1457 $hdrtxt = ""; #\ 1458 if (!$inmimehdr) { #\ 1459 if ($dfrhdr) { #\ 1460 if ($mangle_mime_type && $dfrhdr =~ /^Content-Type:\s/i) { #\ 1461 ($oct) = $dfrhdr =~ /^Content-Type:[^\n]*\s(\S+\/\S+;?)/i; #\ 1462 warn " Mangling MIME type \"$oct\".\n"; #\ 1463 unless ($oct =~ /text\/plain;/i) { #\ 1464 print "$XCS original Content-Type was $oct\n"; #\ 1465 $oct = quotemeta($oct); #\ 1466 $dfrhdr =~ s/${oct}/APPLICATION\/DEFANGED;/i; #\ 1467 } #\ 1468 } #\ 1469 print $dfrhdr; $dfrhdr = ""; #\ 1470 } #\ 1471 $poisoned = $mangle_mime_type = 0; #\ 1472 } #\ 1473 } #\ 1474 if (/^\S/) { #\ 1475 s/\s*\n$//; #\ 1476 $hdrtxt = $_; #\ 1477 $_ = ""; #\ 1478 $hdrcnt++; #\ 1479 } else { #\ 1480 $hdrcnt = 0; #\ 1481 $hdrtxt = ""; #\ 1482 } #\ 1483 } #\ 1484 } #\ 1485 } #\ 1486 ' 2>> $LOGFILE 1487 } 1488 1489 } # ---- END OF SIGNED/ENCRYPTED SKIP 1490 1491 :0 HB 1492 * SECURITY_POISON_WINEXE ?? [^ ] 1493 * !$ ^X-Content-Security: \[${HOST}\] (QUARANTINE|DISCARD) 1494 * ^Content-Transfer-Encoding[ ]*:.*base64 1495 * 9876543210^0 ^Content-Type[ ]*:.*(application|multipart)/[^ ]*[ ]*; 1496 * 9876543210^0 ^Content-Disposition[ ]*:.*attachment 1497 { 1498 # not already quarantined 1499 # check for Windows executable attachments that were not blocked by name 1500 # rules for postfix from <hobbit@avian.org>, adapted to sanitizer 1501 # http://archives.neohapsis.com/archives/postfix/2002-04/1841.html 1502 # NOT 100% reliable, but will catch the simple case of using 1503 # a benign filename and a bogus MIME type, and letting Windows figure out 1504 # to execute the attachment directly (vs. opening in a viewer) by its magic 1505 1506 :0 B D hf 1507 * 9876543210^0 ^TV[nopqr]....[AB]..A.A....*AAAA...*AAAA 1508 * 9876543210^0 ^[^ ]*LnJkYXRhAA 1509 * 9876543210^0 ^[^ ]*cmRhdGEAA 1510 * 9876543210^0 ^[^ ]*5yZGF0YQAA 1511 * 9876543210^0 ^[^ ]*LnJlbG9JAA 1512 * 9876543210^0 ^[^ ]*cmVsb2MAA 1513 * 9876543210^0 ^[^ ]*5yZWxvYwAA 1514 | formail -A "X-Content-Security: [$HOST] NOTIFY" \ 1515 -A "X-Content-Security: [$HOST] QUARANTINE" \ 1516 -A "X-Content-Security: [$HOST] REPORT: Trapped Windows executable attachment" 1517 } 1518 1519 :0 HB 1520 * $ ^X-Content-Security: \[${HOST}\] (NOTIFY|QUARANTINE|DISCARD) 1521 { 1522 :0 1523 * SECURITY_MSGID_LOG ?? [^ ] 1524 { JUNK=`echo "$MSGID" >> $SECURITY_MSGID_LOG` } 1525 1526 :0 HB 1527 * $ ^X-Content-Security: \[${HOST}\] DISCARD 1528 { 1529 SECURITY_QUARANTINE=/dev/null 1530 } 1531 1532 :0 HB 1533 * $ ^X-Content-Security: \[${HOST}\] SPOOFED_SENDER 1534 { 1535 # don't bother the sender, it's probably forged 1536 SECURITY_NOTIFY_SENDER= 1537 } 1538 1539 :0 1540 * 9876543210^0 SECURITY_NOTIFY ?? [^ ] 1541 * 9876543210^0 SECURITY_NOTIFY_VERBOSE ?? [^ ] 1542 { 1543 # Notify administration and sender of the attack 1544 1545 STATUS="STATUS: Message delivered to $TO" 1546 STATUS_PUBLIC="STATUS: Message delivered." 1547 REPORT="REPORT: No details available." 1548 SCORE="REPORT: Not a document, or already poisoned by filename. Not scanned for macros." 1549 1550 :0 1551 * SECURITY_QUARANTINE ?? [^ ] 1552 { 1553 STATUS="STATUS: Message quarantined in $SECURITY_QUARANTINE, not delivered to recipient." 1554 STATUS_PUBLIC="STATUS: Message quarantined, not delivered to recipient." 1555 } 1556 1557 :0 HB 1558 * $ ^X-Content-Security: \[${HOST}\] DISCARD 1559 { 1560 STATUS="STATUS: Message discarded, not delivered to recipient." 1561 STATUS_PUBLIC="$STATUS" 1562 } 1563 1564 :0 HB 1565 * ^\/Macro Scanner score: [1-9][0-9]+ 1566 { 1567 SCORE="REPORT: $MATCH" 1568 } 1569 1570 :0 HB 1571 * $ ^X-Content-Security: \[${HOST}\] REPORT: 1572 { REPORT=`grep "^X-Content-Security: \[${HOST}\] REPORT: " | sed -e 's/^.* REPORT:/REPORT:/g'` } 1573 1574 1575 #--------------------------------------------------------------------------- 1576 # Smart Sender Notify Suppression 1577 # If the Return-Path: domain is not supported by any of the Received: domains 1578 # then the envelope sender address is probably forged. Don't waste time notifying. 1579 # 1580 1581 :0 1582 * SECURITY_NOTIFY_SENDER ?? [^ ] 1583 * FROMDOM ?? [^ ] 1584 * ! SECURITY_DISABLE_SMART_REPLY ?? [^ ] 1585 { 1586 FROMDOM2="_" 1587 FROMDOM3="_" 1588 1589 :0 1590 * FROMDOM ?? ^.+\.\/[^.]+\.[^.]+$ 1591 { 1592 FROMDOM2="$MATCH" 1593 # ignore some domains (e.g. ac.uk, com.ar, etc.) 1594 :0 1595 * FROMDOM2 ?? ^(co|ac|com|net|org)\.[a-z][a-z]$ 1596 { 1597 FROMDOM2="_" 1598 } 1599 } 1600 1601 :0 1602 * FROMDOM ?? ^.+\.\/[^.]+\.[^.]+\.[^.]+$ 1603 { 1604 FROMDOM3="$MATCH" 1605 } 1606 1607 # Look for Received: headers that support the sender's claimed domain 1608 # Line 1: sendmail, postfix 1609 # Line 2: qmail 1610 :0 H 1611 * $! ^Received: from [^ ]+ $([^ .]+\.)*($FROMDOM|$FROMDOM3|$FROMDOM2) [^)]+$+[ ]+by (${SECURITY_TRUSTED_MTAS:-${HOST}}) 1612 * $! ^Received: from ([^ .]+\.)*($FROMDOM|$FROMDOM3|$FROMDOM2)[ ]+\(HELO .*[ ]+by (${SECURITY_TRUSTED_MTAS:-${HOST}}) 1613 { 1614 REPLY_SUPPRESSED="NOTICE: Envelope sender domain $FROMDOM not supported by trusted Received: path. Suppressing sender notification.${NL}" 1615 LOG=" $REPLY_SUPPRESSED" 1616 SECURITY_NOTIFY_SENDER= 1617 } 1618 1619 # Did a mailing list rewrite the Return-Path header? 1620 :0E 1621 * -1^0 1622 * 1^0 ^Precedence: (bulk|junk|list) 1623 * 1^0 ^(List-Id|X-Mailing-List): 1624 * 9876543210^0 FROM ?? \<owner- 1625 * 9876543210^0 FROM ?? \<[^@ >]+-l-admin@ 1626 { 1627 REPLY_SUPPRESSED="NOTICE: Message from mailing list. Suppressing sender notification.${NL}" 1628 LOG=" $REPLY_SUPPRESSED" 1629 SECURITY_NOTIFY_SENDER= 1630 } 1631 } 1632 #--------------------------------------------------------------------------- 1633 1634 :0 HB 1635 * !$ ^X-Content-Security: \[${HOST}\] NONOTIFY 1636 { 1637 :0 1638 * SECURITY_NOTIFY ?? [^ ] 1639 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 1640 { 1641 LOG="${NL} NOTIFY ADMIN ($SECURITY_NOTIFY)${NL}" 1642 1643 :0 h ci 1644 | ( \ 1645 echo "To: $SECURITY_NOTIFY";\ 1646 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 1647 echo 'Subject: SECURITY WARNING - possible email attack';\ 1648 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 1649 echo ;\ 1650 echo "\$Revision: 1.151 $";\ 1651 echo ;\ 1652 echo "$REPORT";\ 1653 echo "$SCORE";\ 1654 echo "$STATUS";\ 1655 echo "$REPLY_SUPPRESSED";\ 1656 echo ;\ 1657 echo 'Headers from message:';\ 1658 echo ;\ 1659 sed -e 's/^/> /' ;\ 1660 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 1661 } 1662 1663 :0 1664 * SECURITY_NOTIFY_VERBOSE ?? [^ ] 1665 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 1666 { 1667 LOG="${NL} NOTIFY ADMIN VERBOSE ($SECURITY_NOTIFY_VERBOSE)${NL}" 1668 1669 :0 hb ci 1670 | ( \ 1671 echo "To: $SECURITY_NOTIFY_VERBOSE";\ 1672 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 1673 echo 'Subject: SECURITY WARNING - possible email attack';\ 1674 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 1675 echo ;\ 1676 echo "$REPORT";\ 1677 echo "$SCORE";\ 1678 echo "$STATUS";\ 1679 echo "$REPLY_SUPPRESSED";\ 1680 echo ;\ 1681 echo 'Message:';\ 1682 echo ;\ 1683 sed -e 's/^/> /' ;\ 1684 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY_VERBOSE 1685 } 1686 } 1687 1688 :0 H 1689 * SECURITY_NOTIFY_SENDER ?? [^ ] 1690 * ! ^FROM_DAEMON 1691 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 1692 { 1693 LOG="${NL} NOTIFY SENDER${NL}" 1694 PM_BCC="X-Placeholder:" 1695 PM_CC="X-Placeholder:" 1696 1697 :0 HB 1698 * !$ ^X-Content-Security: \[${HOST}\] NONOTIFY 1699 { 1700 PM_BCC="Bcc: $SECURITY_NOTIFY" 1701 } 1702 1703 :0 1704 * SECURITY_NOTIFY_SENDER_POSTMASTER ?? [^ ] 1705 * FROMDOM ?? [^ ] 1706 { 1707 PM_CC="postmaster@$FROMDOM" 1708 1709 :0 1710 * SECURITY_NOTIFY_SENDER_ABUSE ?? [^ ] 1711 { 1712 PM_CC="$PM_CC>, <abuse@$FROMDOM" 1713 } 1714 1715 PM_CC="Cc: <$PM_CC>" 1716 } 1717 1718 MSG_HEADERS=`sed -e '/^$/q; s/^/> /'` 1719 1720 :0 h ci 1721 | ( \ 1722 formail -r \ 1723 -I "From: \"Procmail Security daemon\" <${SECURITY_LOCAL_POSTMASTER}>"\ 1724 -I "$PM_BCC" -I "$PM_CC" -I "References: $MSGID" \ 1725 -I "Sender: <${SECURITY_LOCAL_POSTMASTER}>" \ 1726 -I "Errors-To: <${SECURITY_LOCAL_POSTMASTER}>" \ 1727 -I "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET" \ 1728 -I "$OVERRIDEFORMAIL" \ 1729 ;\ 1730 echo ;\ 1731 if [ -f "$SECURITY_NOTIFY_SENDER" -a -s "$SECURITY_NOTIFY_SENDER" -a -r "$SECURITY_NOTIFY_SENDER" ] ;\ 1732 then \ 1733 echo 'Regarding your message to';\ 1734 echo "$TO";\ 1735 echo ;\ 1736 cat $SECURITY_NOTIFY_SENDER; \ 1737 else \ 1738 echo '*** SECURITY WARNING ***';\ 1739 echo 'Our email gateway has detected that your message to';\ 1740 echo "$TO";\ 1741 echo 'MAY contain hazardous embedded scripting or attachments,';\ 1742 echo 'or has been rejected by our site security policy for some other reason.';\ 1743 echo 'If you have a question, please reply to this notification message.';\ 1744 echo ;\ 1745 echo 'It is POSSIBLE that your message was infected by a virus.';\ 1746 echo 'You should make sure your virus signature file';\ 1747 echo 'is up-to-date and then rescan your computer,';\ 1748 echo 'especially if you do not remember sending this message.';\ 1749 echo ;\ 1750 echo 'If the macro scanner score is large yet your virus scanner reports';\ 1751 echo 'that the document is not infected, try saving it using a different';\ 1752 echo 'format (such as Rich Text - "RTF") that will remove all macros.';\ 1753 fi ;\ 1754 echo ;\ 1755 echo "$REPORT";\ 1756 echo "$SCORE";\ 1757 echo "$STATUS_PUBLIC";\ 1758 echo ;\ 1759 echo 'Headers from message:';\ 1760 echo ;\ 1761 echo "$MSG_HEADERS";\ 1762 echo ;\ 1763 echo ;\ 1764 echo '--';\ 1765 echo 'Message sanitized on' $HOST;\ 1766 echo 'See http://www.impsec.org/email-tools/sanitizer-intro.html for details.';\ 1767 echo ;\ 1768 ) | $SENDMAIL $MTA_FLAGS_HDRS 1769 1770 } 1771 } 1772 1773 :0 1774 * SECURITY_QUARANTINE ?? [^ ] 1775 { 1776 :0 1777 * SECURITY_NOTIFY_RECIPIENT ?? [^ ] 1778 { 1779 LOG="${NL} NOTIFY RECIPIENT${NL}" 1780 1781 # We could stuff this directly into $DEFAULT but then 1782 # we'd have to worry about generating Message-ID and Date headers 1783 # and it wouldn't work on a relay... 1784 :0 h ci 1785 | ( \ 1786 echo "To: $TO";\ 1787 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 1788 if [ "$SECURITY_QUARANTINE" = "/dev/null" ] ;\ 1789 then \ 1790 echo 'Subject: SECURITY WARNING - email discarded';\ 1791 else \ 1792 echo 'Subject: SECURITY WARNING - email quarantined';\ 1793 fi ;\ 1794 echo ;\ 1795 if [ -f "$SECURITY_NOTIFY_RECIPIENT" -a -s "$SECURITY_NOTIFY_RECIPIENT" -a -r "$SECURITY_NOTIFY_RECIPIENT" ] ;\ 1796 then \ 1797 cat $SECURITY_NOTIFY_RECIPIENT; \ 1798 else \ 1799 echo '*** SECURITY WARNING ***';\ 1800 echo 'Our email gateway has detected that a message sent to you';\ 1801 echo 'MAY contain hazardous embedded scripting or attachments.';\ 1802 echo 'The message has been quarantined or discarded per our site security policy.';\ 1803 echo 'Please contact your system administrator for further details.';\ 1804 echo ;\ 1805 fi ;\ 1806 echo ;\ 1807 echo "$REPORT";\ 1808 echo "$SCORE";\ 1809 echo "$STATUS_PUBLIC";\ 1810 echo ;\ 1811 echo 'Headers from message:';\ 1812 echo ;\ 1813 sed -e 's/^/> /' ;\ 1814 echo ;\ 1815 echo '--';\ 1816 echo 'Message sanitized on' $HOST;\ 1817 echo 'See http://www.impsec.org/email-tools/sanitizer-intro.html for details.';\ 1818 echo ;\ 1819 ) | $SENDMAIL $MTA_FLAGS_HDRS 1820 1821 } 1822 1823 :0 :${SECURITY_QUARANTINE_LOCKFILE} 1824 $SECURITY_QUARANTINE 1825 1826 :0 e 1827 * ! SECURITY_QUARANTINE_OPTIONAL ?? [^ ] 1828 { 1829 # Argh! Quarantine failed, and not explicitly marked as optional! 1830 # Bounce message, and notify administrator 1831 LOG="${NL} ERR: QUARANTINE FAILED!${NL}" 1832 EXITCODE=65 1833 1834 :0 h 1835 * SECURITY_NOTIFY ?? [^ ] 1836 * !$ ^X-Loop: EMAIL SECURITY WARNING $HOST $SECRET 1837 | ( \ 1838 echo "To: $SECURITY_NOTIFY";\ 1839 echo 'From: "Procmail Security daemon"' "<${SECURITY_LOCAL_POSTMASTER}>";\ 1840 echo 'Subject: SECURITY WARNING - quarantine failed!';\ 1841 echo "X-Loop: EMAIL SECURITY WARNING $HOST $SECRET"; \ 1842 echo ;\ 1843 echo 'Attempt to quarantine the following message in $SECURITY_QUARANTINE failed.';\ 1844 echo 'Message has been bounced.';\ 1845 echo 'Verify file access permissions (file must be writable):';\ 1846 ls -l $SECURITY_QUARANTINE ;\ 1847 echo ;\ 1848 echo "$REPORT";\ 1849 echo "$SCORE";\ 1850 echo ;\ 1851 echo 'Headers from message:';\ 1852 echo ;\ 1853 sed -e 's/^/> /' ;\ 1854 ) | $SENDMAIL $MTA_FLAGS_CMDLN $SECURITY_NOTIFY 1855 1856 # zap it, just in case 1857 :0 1858 /dev/null 1859 } 1860 } 1861 } 1862 1863 #eof