procmail
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Filtering attachment

2002-01-17 08:42:05
from [John D. Hardin] [Permanent Link] 
On 14 Jan 2002, Mohsenruddin Moonshi wrote:


:0:
* ^Content-Type: MULTIPART/MIXED
{
   :0B
   *^Content-Disposition: (attachment|inline);
   *filename=\/".*\.(bat|bif|exe|pif|com|vbs|cpl|scr|swf)"
   *filename=.*mmsn_offline.htm$
   virus
}


There are problems with trying to use procmail to interpret MIME
attachment headers...

1. What if the filename isn't quoted? The above example won't work. I
grant quotes are standard, but I have seen many unquoted filenames in
my testing of the sanitizer.

2. What if the MIME header spans multiple lines? The following would
be a valid MIME header that's simple for a worm to generate, and would
bypass most if not all of the pure-procmail attachment filters I've
seen:

     Content-Disposition:
             attachment;
             filename
             =
             "worm.vbs";

3. What about encoded filenames? There are ways to encode the period
and the other characters in the filename such that the mailer will
interpret them properly, but in the raw message they appear obscured.
For example: filename="=?iso-8859-1?Q?worm=2E=76=62=73?="
Encoding like this is a documented standard, and also easy for a worm
to do.

4. What about the above signature lines appearing within the body text
(vs. a MIME header)? Procmail has no way to distinguish the location
of the text fragments, and the more careful you are to avoid false
hits on body text, the easier it is for a worm to bypass the filter.

For all of these reasons, a reliable attachment filter that blocks
malicious content cannot be written in pure procmail. That's why I
wrote the MIME processing parts of the sanitizer in perl, as painful
as that is - it's the only way to do it *reliably*. The above filters
will catch someone accidentally sending out an attachment you don't
want, but cannot be relied upon to block knowingly malicious content
that generates valid but very unusual MIME headers.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin(_at_)impsec(_dot_)org                       pgpk -a 
jhardin(_at_)wolfenet(_dot_)com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  Monty Python's Star Trek Voyager:
  A successful trans-warp experiment turns Paris and Janeway into
  newts, but they get better.
  ...wait a minute... It's already been done...
-----------------------------------------------------------------------
   2 days until Babylon 5: the Legend of the Rangers

_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: efficiency q: multiple addressees, David W. Tamkin
Next by Date:  Alerta, Posible Infección de Virus, pcastillo
Previous by Thread:  Alerta, Posible Infección de Virus, pcastillo
Next by Thread:  Alerta, Posible Infección de Virus, pcastillo
Indexes:  [Date] [Thread] [Top] [All Lists]