Hi,sir:
It seems something wrong with following log message:
\"Error while writing to \\\"perl -p -e \'
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
my procmail.log said following message, what should I do ? thanks...
-----------------------------------------------
Sanitizing MIME attachment headers in \\\"php-db Digest 1 Oct 2002 11:39:57
-0000 Issue 1442\\\" from php-db-digest-help(_at_)lists(_dot_)php(_dot_)net to
msgid=<1033472397(_dot_)68309(_dot_)ezmlm(_at_)lists(_dot_)php(_dot_)net>
procmail: Error while writing to \\\" perl -p -e \\\' #\\\\
$pastmsghdr = 1 if /^\\\\s*$/; #\\\\
$XCS = \\\"X-Content-Security: [\\\" . $ENV{\\\"HOST\\\"} . \\\"]\\\"
unless $XCS; #\\\\
if ($pastmsghdr) { #\\\\
if (!$mimebdry && $mimebdrs[0]) { #\\\\
warn \\\" Found no MIME boundary.\\\\n\\\" if $ENV{\\\"DEBUG\\\"};
#\\\\
$mimebdry = pop @mimebdrs; #\\\\
$newbdry = pop @newbdrs; #\\\\
$rawbdry = pop @rawbdrs; #\\\\
$bdrytoolong = pop @bdrstoolong; #\\\\
$gotbdry = pop @gotbdrs; #\\\\
$nullbdry = pop @nullbdrs; #\\\\
} #\\\\
$_ = \\\"\\\" if $strip_attachment && !$gotbdry; #\\\\
} else { #\\\\
if (($type,$format,$junk) =
/^Content-Type\\\\s*:\\\\s.*(application|multipart|message)\\\\/(\\\\S+)(;.*)?$/i)
{ #\\\\
$wanthdr = 1; #\\\\
print \\\"X-Security: MIME headers sanitized on \\\",
$ENV{\\\"HOST\\\"}, \\\"\\\\n\\\"; #\\\\
print \\\"\\\\tSee
http://www.impsec.org/email-tools/sanitizer-intro.html\\\\n\\\";; #\\\\
print \\\"\\\\tfor details. \\\\$Revision: 1.134 $x\\\\$Date:
2002-04-21 16:30:40-07 $x\\\\n\\\"; #\\\\
print \\\"X-Security: The postmaster has not enabled quarantine of
poisoned messages.\\\\n\\\" unless $ENV{\\\"SECURITY_QUARANTINE\\\"};
#\\\\
if ($type =~ /application/i) { #\\\\
$inmimehdr = 1; #\\\\
} elsif ($type =~ /message/i && $format =~ /rfc822/i) { #\\\\
$rcrsmsg = $inmimehdr = 1; #\\\\
} #\\\\
} elsif (/^\\\\S/) { #\\\\
$wanthdr = 0; #\\\\
} #\\\\
if ($wanthdr) { #\\\\
if (($mimebdry) =
/boundary\\\\s*=\\\\s*((\\\"\\\")|(\\\"[^\\\"]+\\\")|([^\\\"]\\\\S+))/i) {
#\\\\
$mimebdry =~ s/(^\\\"|\\\"$)//g; #\\\\
$rawbdry = $mimebdry; #\\\\
$gotbdry = 1; #\\\\
$wanthdr = 0; #\\\\
$bdrytoolong = $nullbdry = 0; #\\\\
if ($bdrytoolong = (length($mimebdry) > 80)) { #\\\\
warn \\\" Truncating long MIME body-part boundary
string.\\\\n\\\"; #\\\\
$newbdry = substr($mimebdry,0,64); #\\\\
$mimebdry = quotemeta($mimebdry); #\\\\
s/${mimebdry}/${newbdry}/; #\\\\
$rawbdry =~ s/${mimebdry}/${newbdry}/; #\\\\
} elsif ($nullbdry = (length($mimebdry) < 1)) { #\\\\
warn \\\" Replacing null MIME body-part boundary
string.\\\\n\\\"; #\\\\
$newbdry = \\\"==NULL_MIME_BOUNDARY_ATTACK_SANITIZED-${$}==\\\";
#\\\\
s/boundary\\\\s*=\\\\s*\\\"\\\"/boundary = \\\"${newbdry}\\\"/i;
#\\\\
} else { #\\\\
$mimebdry = quotemeta($mimebdry); #\\\\
} #\\\\
} #\\\\
} #\\\\
} #\\\\
if ($mimebdry || ($gotbdry && $nullbdry) || $inmimehdr) { #\\\\
if (/^\\\\s*$/) { #\\\\
$inmimehdr = 0; #\\\\
if ($rcrsmsg) { #\\\\
push @mimebdrs, $mimebdry; #\\\\
push @newbdrs, $newbdry; #\\\\
push @rawbdrs, $rawbdry; #\\\\
push @bdrstoolong, $bdrytoolong; #\\\\
push @gotbdrs, $gotbdry; #\\\\
push @nullbdrs, $nullbdry; #\\\\
$mimebdry = $newbdry = \\\"\\\"; #\\\\
$rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0; #\\\\
} #\\\\
} elsif (/^--${mimebdry}(--)?$/) { #\\\\
$mend = $1; #\\\\
s/${mimebdry}/${newbdry}/ if $bdrytoolong; #\\\\
s/^--/--${newbdry}${mend}/ if $nullbdry; #\\\\
if ($mend) { #\\\\
if ($mimebdrs[0]) { #\\\\
$mimebdry = pop @mimebdrs; #\\\\
$newbdry = pop @newbdrs; #\\\\
$rawbdry = pop @rawbdrs; #\\\\
$bdrytoolong = pop @bdrstoolong; #\\\\
$gotbdry = pop @gotbdrs; #\\\\
$nullbdry = pop @nullbdrs; #\\\\
} #\\\\
} else { #\\\\
$inmimehdr = 1; #\\\\
$rcrsmsg = $strip_attachment = $check_attachment = 0; #\\\\
} #\\\\
} elsif (!$inmimehdr && $strip_attachment) { #\\\\
$_ = \\\"\\\"; #\\\\
} elsif (!$inmimehdr && $check_attachment) { #\\\\
$check_attachment = 0; #\\\\
if ($destf = `mktemp /tmp/mailchk.XXXXXX`) { #\\\\
chomp($destf); #\\\\
if (open(DECODE,\\\"|mimencode -u -o $destf\\\")) { #\\\\
do { #\\\\
print $_; #\\\\
print DECODE $_; #\\\\
$_ = <>; #\\\\
$lastline = $_; #\\\\
} until (/^\\\\s*$/ || /^--/); #\\\\
close(DECODE); #\\\\
$msapp = $score = 0; #\\\\
@scores = (); #\\\\
$why = \\\"\\\"; #\\\\
# Run virus-checker here. #\\\\
open(ATTCH,\\\"< $destf\\\"); #\\\\
while () { #\\\\
if (/(\\\\000|\\\\001|\\\\004)(VirusProtection)/i) {
#\\\\
$why .= \\\" 99 for $1\\\\n\\\"; #\\\\
$score+= 99; #\\\\
} #\\\\
if
(/\\\\000(select\\\\s[^\\\\000]*shell\\\\s*\\\\(\\\\s*[\\\"\\\\047])/i) {
#\\\\
$why .= \\\" 99 for $1\\\\n\\\"; #\\\\
$score+= 99; #\\\\
} #\\\\
if (/\\\\000(regedit)/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(Shell\\\\s*\\\\()/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(Save(Normal|Properties)Prompt)/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(Outlook\\\\.Application)\\\\000/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(CountOfLines)/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(AddFromString)/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(StartupPath)/i) { #\\\\
$why .= \\\" 9 for $1\\\\n\\\"; #\\\\
$score+= 9; #\\\\
} #\\\\
if (/\\\\000(CreateObject)/i) { #\\\\
$why .= \\\" 4 for $1\\\\n\\\"; #\\\\
$score+= 4; #\\\\
} #\\\\
if
(/(\\\\000|\\\\004)([a-z0-9_]\\\\.)*(Autoexec|Workbook_(Open|BeforeClose|Window(De)?activate)|Document_(Open|New|Close))/i)
{ #\\\\
$why .= \\\" 4 for $&\\\\n\\\"; #\\\\
$score+= 4; #\\\\
} #\\\\
if
(/(\\\\000|\\\\004)(Logon|AddressLists|AddressEntries|Recipients|Attachments|Logoff)/i)
{ #\\\\
$why .= \\\" 4 for $&\\\\n\\\"; #\\\\
$score+= 4; #\\\\
} #\\\\
if (/(\\\\000|\\\\004)(Subject|Body)/i) { #\\\\
$why .= \\\" 4 for $&\\\\n\\\" unless $scores[0];
#\\\\
$scores[0] = 4; #\\\\
} #\\\\
if (/\\\\000(Options[^\\\\w\\\\s])/i) { #\\\\
$why .= \\\" 2 for $1\\\\n\\\"; #\\\\
$score+= 2; #\\\\
} #\\\\
if (/\\\\000(CodeModule)/i) { #\\\\
$why .= \\\" 2 for $1\\\\n\\\"; #\\\\
$score+= 2; #\\\\
} #\\\\
if (/\\\\000(([a-z]+\\\\.)?Application)\\\\000/i) { #\\\\
$why .= \\\" 2 for $1\\\\n\\\"; #\\\\
$score+= 2; #\\\\
} #\\\\
if (/(\\\\000|\\\\004)stdole/i) { #\\\\
$why .= \\\" 2 for $&\\\\n\\\"; #\\\\
$score+= 2; #\\\\
} #\\\\
if (/(\\\\000|\\\\004)NormalTemplate/i) { #\\\\
$why .= \\\" 2 for $&\\\\n\\\"; #\\\\
$score+= 2; #\\\\
} #\\\\
if (/\\\\000(ID=\\\"{[-0-9A-F]+(}\\\")?)/i) { #\\\\
$why .= \\\" 4 for $1\\\\n\\\"; #\\\\
$score+= 4; #\\\\
} #\\\\
if (/\\\\000(ThisWorkbook)\\\\000/i) { #\\\\
$why .= \\\" 1 for $1\\\\n\\\"; #\\\\
$score+= 1; #\\\\
} #\\\\
if (/\\\\000(PrivateProfileString)/i) { #\\\\
$why .= \\\" 1 for $1\\\\n\\\"; #\\\\
$score+= 1; #\\\\
} #\\\\
if
(/(\\\\000|\\\\004)(ActiveDocument|ThisDocument|ThisWorkbook)/i) { #\\\\
$why .= \\\" 1 for $&\\\\n\\\"; #\\\\
$score+= 1; #\\\\
} #\\\\
if
(/\\\\000(\\\\[?HKEY_(CLASSES_ROOT|CURRENT_USER|LOCAL_MACHINE))/) { #\\\\
$why .= \\\" 1 for $1\\\\n\\\"; #\\\\
$score+= 1; #\\\\
} #\\\\
$msapp+= 1 if /\\\\000(Microsoft (Word Document|Excel
Worksheet|Excel|PowerPoint)|MSWordDoc|Word\\\\.Document\\\\.[0-9]+|Excel\\\\.Sheet\\\\.[0-9]+)\\\\000/;
#\\\\
} #\\\\
close(ATTCH); #\\\\
unlink($destf); #\\\\
if ($msapp) { #\\\\
for (@scores) { #\\\\
$score += $_; #\\\\
} #\\\\
if ($histfile = $ENV{\\\"SCORE_HISTORY\\\"}) { #\\\\
if (open(HIST,\\\">>$histfile\\\")) { #\\\\
print HIST \\\"score=$score to=\\\".$ENV{\\\"TO\\\"}.\\\"
from=\\\".$ENV{\\\"FROM\\\"}.\\\"\\\\n\\\"; #\\\\
close HIST; #\\\\
} #\\\\
} #\\\\
$poison_score = $ENV{\\\"POISONED_SCORE\\\"}; #\\\\
$poison_score = 5 if $poison_score < 5; #\\\\
if ($score > $poison_score && !$ENV{\\\"SCORE_ONLY\\\"}) {
#\\\\
warn \\\" POSSIBLE MACRO EXPLOIT: Score=$score\\\\n\\\";
#\\\\
print \\\"\\\\n\\\\n--$rawbdry\\\\n\\\"; #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\"; #\\\\
print \\\"$XCS NOTIFY\\\\n\\\" if
$ENV{\\\"SECURITY_NOTIFY\\\"} || $ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"};
#\\\\
print \\\"$XCS REPORT: Trapped poisoned Microsoft
attachment\\\\n\\\" if $ENV{\\\"SECURITY_NOTIFY\\\"} ||
$ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"}; #\\\\
print \\\"$XCS QUARANTINE\\\\n\\\" if
$ENV{\\\"SECURITY_QUARANTINE\\\"}; #\\\\
print \\\"Content-Description: SECURITY
WARNING\\\\n\\\\n\\\"; #\\\\
print \\\"SECURITY WARNING!\\\\n\\\"; #\\\\
print \\\"The mail delivery system has detected that the
preceding\\\\n\\\"; #\\\\
print \\\"document attachment appears to contain hazardous
macro code.\\\\n\\\"; #\\\\
print \\\"Macro Scanner score: $score\\\\n\\\"; #\\\\
if ($ENV{\\\"SCORE_DETAILS\\\"}) { #\\\\
print \\\"Macro Scanner score details:\\\\n\\\";
#\\\\
$why =~ s/[\\\\000-\\\\011\\\\013-\\\\037]//g;
#\\\\
print $why; #\\\\
} #\\\\
print \\\"Contact your system administrator
immediately!\\\\n\\\\n\\\"; #\\\\
} #\\\\
} else { #\\\\
$score = 0; #\\\\
} #\\\\
if ($lastline =~ /^--${mimebdry}(--)?$/) { #\\\\
$inmimehdr = 1; #\\\\
$check_attachment = 0; #\\\\
$lastline =~ s/${mimebdry}/${newbdry}/ if $bdrytoolong;
#\\\\
} #\\\\
print $lastline; #\\\\
} else { #\\\\
warn \\\"*** Decoding: $! - mimencode?\\\\n\\\"; #\\\\
} #\\\\
} else { #\\\\
warn \\\"*** Cannot extract - mktemp?\\\\n\\\"; #\\\\
} #\\\\
} #\\\\
if ($inmimehdr || $hdrcnt) { #\\\\
if (/^(\\\\s+\\\\S|(file)?name)/) { #\\\\
s/^\\\\s*/ /; #\\\\
s/^\\\\s*// if $hdrtxt =~ /\\\"[^\\\"]*[^;]$/; #\\\\
s/\\\\s*\\\\n$//; #\\\\
$hdrtxt .= $_; #\\\\
$_ = \\\"\\\"; #\\\\
} else { #\\\\
if ($hdrtxt) { #\\\\
$hdrtxt =~ s/([^\\\\\\\\])\\\\\\\\\\\"/\\\\1\\\\\\\\\xFF/g;
#\\\\
if ($hdrtxt =~ /`\\\\s*`/) { #\\\\
warn \\\" Fixing double backquotes.\\\\n\\\"; #\\\\
$hdrtxt =~ s/`\\\\s*`/\\\\\\\\\\\"/g; #\\\\
} #\\\\
if ($hdrtxt =~
/^[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"[^\\\"]+$/i) { #\\\\
warn \\\" Fixing missing close quote on filename.\\\\n\\\";
#\\\\
$hdrtxt .= \\\"\\\\\\\"\\\"; #\\\\
} #\\\\
while (($hdr, $val) = $hdrtxt =~
/^([-\\\\w]+)\\\\s*:.*\\\\s(\\\\S+)\\\\s*=\\\\s*\\\"\\\"/i) { #\\\\
warn \\\" Null $val in $hdr header.\\\\n\\\"; #\\\\
$sval = quotemeta($val); #\\\\
$hdrtxt =~ s/\\\\s$sval\\\\s*=\\\\s*\\\"\\\"/ X-$val=\\\"{null
value sanitized}\\\"/; #\\\\
} #\\\\
unless ($ENV{\\\"SECURITY_DISABLE_OUTLOOK_HACKS\\\"}) {
#\\\\
while (($hdr,$filen) = $hdrtxt =~
/^(Content-Description)\\\\s*:\\\\s*text\\\\s+from\\\\s+file\\\\s+\\\\047([^\\\\047]+)\\\\047/i)
{ #\\\\
warn \\\" Fixing file name \\\\\\\"$filen\\\\\\\" in
${hdr}:\\\\n\\\"; #\\\\
$newfilen = $filen; $filen = quotemeta($filen); #\\\\
$hdrtxt =~ s/\\\\s+\\\\047${filen}\\\\047/,
filename=\\\"${newfilen}\\\"/ig; #\\\\
} #\\\\
} #\\\\
while (($junk,$filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:[^\\\"]*(\\\"[^\\\"]*\\\"[^\\\"]+)*name\\\\s*=\\\\s*([^\\\"\\\\s][^;]+)/i)
{ #\\\\
warn \\\" Fixing unquoted filename
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$newfilen = $filen; $filen = quotemeta($filen); #\\\\
if ($newfilen =~ /\\\\.[a-z0-9]+\\\"[a-z0-9\\\"]+$/i) {
#\\\\
warn \\\" Defanging quotes-in-extension attack.\\\\n\\\";
#\\\\
while ($newfilen =~ /\\\\.[a-z0-9]+\\\"[a-z0-9\\\"]+$/i) {
#\\\\
$newfilen =~
s/\\\\.([a-z0-9]+)\\\"([a-z0-9\\\"]+)$/.$1$2/i; #\\\\
} #\\\\
} #\\\\
$newfilen =~ s/\\\\\\\"/\\\\\\\\\\\"/g; #\\\\
if ($newfilen =~ /\\\\([^)]*\\\\)/) { #\\\\
warn \\\" Removing embedded RFC822 comments.\\\\n\\\";
#\\\\
$newfilen =~ s/\\\\([^)]*\\\\)//g; #\\\\
} #\\\\
$hdrtxt =~
s/name\\\\s*=\\\\s*${filen}/name=\\\"$newfilen\\\"/ig; #\\\\
} #\\\\
while (($filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"(=\\\\?[^\\\"]+\\\\?Q\\\\?[^\\\"]+=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])[^\\\"]+\\\\?=)\\\"/i)
{ #\\\\
warn \\\" Fixing encoded plain characters in
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$newfilen = $filen; $filen = quotemeta($filen); #\\\\
while ($newfilen =~ /=(2e|3[0-9]|[46][1-9a-f]|[57][0-9a])/i) {
#\\\\
$char = chr(hex(\\\"0x$1\\\")); #\\\\
$newfilen =~ s/=$1/$char/gi; #\\\\
} #\\\\
$hdrtxt =~
s/name\\\\s*=\\\\s*\\\"${filen}\\\"/name=\\\"$newfilen\\\"/ig; #\\\\
} #\\\\
while (($filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"([^\\\"]+)[\\\\.\\\\s]+\\\"/i)
{ #\\\\
warn \\\" Fixing trailing spaces/periods in filename.\\\\n\\\";
#\\\\
$newfilen = $filen; $filen = quotemeta($filen); #\\\\
$hdrtxt =~
s/name\\\\s*=\\\\s*\\\"${filen}[\\\\.\\\\s]+\\\"/name=\\\"$newfilen\\\"/ig;
#\\\\
} #\\\\
while (($filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"([^\\\"]{120})[^\\\"]{16,}\\\"/i)
{ #\\\\
warn \\\" Truncating long filename
\\\\\\\"$filen...\\\\\\\".\\\\n\\\"; #\\\\
$filen =~ s/\\\\s+$//; #\\\\
$filen .= \\\"...\\\"; #\\\\
$filen .= \\\"?=\\\" if $filen =~ /^=\\\\?/; #\\\\
$hdrtxt =~
s/name\\\\s*=\\\\s*\\\"[^\\\"]{128,}\\\"/name=\\\"$filen\\\"/i; #\\\\
$mangle_mime_type = 1; #\\\\
} #\\\\
if (($mtype) = $hdrtxt =~
/^Content-Type:\\\\s+([a-z0-9-_]+\\\\/[a-z0-9-_]+)/i) { #\\\\
unless ($mtype =~ /^(multipart|text|message)\\\\//i) {
#\\\\
unless ($hdrtxt =~ /name\\\\s*=\\\\s*\\\"/i) { #\\\\
$dfrhdr .= \\\"$hdrtxt\\\\n\\\"; $hdrtxt = \\\"\\\";
#\\\\
} #\\\\
} #\\\\
} #\\\\
if ($hdrtxt =~ /^Content-Transfer-Encoding\\\\s*:/i) {
#\\\\
$dfrhdr .= \\\"$hdrtxt\\\\n\\\"; $hdrtxt = \\\"\\\";
#\\\\
} #\\\\
if (($filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"([^\\\"]+\\\\.(do[ct]|xl[swt]|p[po]t|rtf|pps)(\\\\?=)?)\\\"/i)
{ #\\\\
$stripped = 0; #\\\\
if (!$poisoned && ($specf =
$ENV{\\\"STRIPPED_EXECUTABLES\\\"})) { #\\\\
if (open(STRIPPED,$specf)) { #\\\\
warn \\\"Checking document \\\\\\\"$filen\\\\\\\" for
stripping.\\\\n\\\"; #\\\\
while (chomp($stp_spec = )) { #\\\\
$stp_spec =~ s/^\\\\s+//g; #\\\\
$stp_spec =~ s/\\\\s.*$//g; #\\\\
next unless $stp_spec; #\\\\
$stp_spec =~ s/([^\\\\\\\\])\\\\./$1\\\\\\\\./g;
#\\\\
$stp_spec =~ s/\\\\*/.*/g; #\\\\
$stp_spec =~ s/([^\\\\(])\\\\?/$1./g; #\\\\
$stp_spec .= \\\"(\\\\\\\\?=)?\\\\$\\\" unless $stp_spec
=~ /\\\\$/; #\\\\
warn \\\"Checking against
\\\\\\\"$stp_spec\\\\\\\"\\\\n\\\" if $ENV{\\\"DEBUG\\\"}; #\\\\
if ($filen =~ /^${stp_spec}/i) { #\\\\
warn \\\" Stripped document
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$stripped = 1; #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\";
#\\\\
print \\\"$XCS REPORT: Microsoft attachment
\\\\\\\"$filen\\\\\\\" stripped\\\\n\\\"; #\\\\
print \\\"Content-Description: SECURITY
NOTICE\\\\n\\\\n\\\"; #\\\\
print $ENV{\\\"STRIPPED_WARNING\\\"}; #\\\\
print \\\"Filename: $filen\\\\n\\\\n\\\"; #\\\\
print \\\"More headers follow:\\\\n\\\\n\\\" unless
$pastmsghdr; #\\\\
$_ = $dfrhdr = $hdrtxt = \\\"\\\"; #\\\\
$strip_attachment = 1; #\\\\
$inmimehdr = 0; #\\\\
last; #\\\\
} #\\\\
} #\\\\
close(STRIPPED); #\\\\
} else { #\\\\
warn \\\" Unable to open stripped-executables file
\\\\\\\"$specf\\\\\\\".\\\\n\\\"; #\\\\
} #\\\\
} #\\\\
if (!$poisoned && !$stripped && ($specf =
$ENV{\\\"POISONED_EXECUTABLES\\\"})) { #\\\\
if (open(POISONED,$specf)) { #\\\\
warn \\\"Checking document \\\\\\\"$filen\\\\\\\" for
poisoning.\\\\n\\\"; #\\\\
while (chomp($psn_spec = )) { #\\\\
$psn_spec =~ s/^\\\\s+//g; #\\\\
$psn_spec =~ s/\\\\s.*$//g; #\\\\
next unless $psn_spec; #\\\\
$psn_spec =~ s/([^\\\\\\\\])\\\\./$1\\\\\\\\./g;
#\\\\
$psn_spec =~ s/\\\\*/.*/g; #\\\\
$psn_spec =~ s/([^\\\\(])\\\\?/$1./g; #\\\\
$psn_spec .= \\\"(\\\\\\\\?=)?\\\\$\\\" unless $psn_spec
=~ /\\\\$/; #\\\\
warn \\\"Checking against
\\\\\\\"$psn_spec\\\\\\\"\\\\n\\\" if $ENV{\\\"DEBUG\\\"}; #\\\\
if ($filen =~ /^${psn_spec}/i) { #\\\\
warn \\\" Trapped poisoned document
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$poisoned = 1; #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\";
#\\\\
print \\\"$XCS NOTIFY\\\\n\\\" if
$ENV{\\\"SECURITY_NOTIFY\\\"} || $ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"};
#\\\\
print \\\"$XCS REPORT: Trapped poisoned Microsoft
attachment \\\\\\\"$filen\\\\\\\"\\\\n\\\" if $ENV{\\\"SECURITY_NOTIFY\\\"} ||
$ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"}; #\\\\
print \\\"$XCS QUARANTINE\\\\n\\\" if
$ENV{\\\"SECURITY_QUARANTINE\\\"}; #\\\\
print \\\"Content-Description: SECURITY
WARNING\\\\n\\\\n\\\"; #\\\\
print $ENV{\\\"POISONED_WARNING\\\"}; #\\\\
print \\\"Macro Scanner score: 0 (poisoned by name,
scan skipped)\\\\n\\\\n\\\"; #\\\\
last; #\\\\
} #\\\\
} #\\\\
close(POISONED); #\\\\
} else { #\\\\
warn \\\" Unable to open poisoned-executables file
\\\\\\\"$specf\\\\\\\".\\\\n\\\"; #\\\\
} #\\\\
} #\\\\
$check_attachment = 1 unless $ENV{\\\"DISABLE_MACRO_CHECK\\\"};
#\\\\
} #\\\\
if (($bndry) = $hdrtxt =~
/^Content-Type:\\\\s+multipart\\\\/.*\\\\s+boundary\\\\s*=\\\\s*\\\"?([^\\\"]+)\\\"?/i)
{ #\\\\
push @mimebdrs, $mimebdry; #\\\\
push @newbdrs, $newbdry; #\\\\
push @rawbdrs, $rawbdry; #\\\\
push @bdrstoolong, $bdrytoolong; #\\\\
push @gotbdrs, $gotbdry; #\\\\
push @nullbdrs, $nullbdry; #\\\\
$mimebdry = $newbdry = $bndry; #\\\\
$mimebdry = quotemeta($mimebdry); #\\\\
$rcrsmsg = $bdrytoolong = $gotbdry = 0; #\\\\
} #\\\\
if ($hdrtxt =~ /^Content-Type:\\\\s+message\\\\/rfc822/i) {
#\\\\
if (!$inmimehdr) { #\\\\
push @mimebdrs, $mimebdry; #\\\\
push @newbdrs, $newbdry; #\\\\
push @rawbdrs, $rawbdry; #\\\\
push @bdrstoolong, $bdrytoolong; #\\\\
push @gotbdrs, $gotbdry; #\\\\
push @nullbdrs, $nullbdry; #\\\\
$mimebdry = $newbdry = \\\"\\\"; #\\\\
$rcrsmsg = $pastmsghdr = $bdrytoolong = $gotbdry = 0;
#\\\\
} else { #\\\\
$rcrsmsg = 1; #\\\\
} #\\\\
} #\\\\
if ($ENV{\\\"SECURITY_STRIP_MSTNEF\\\"} && $hdrtxt =~
/^Content-Type:\\\\s+application\\\\/MS-TNEF/i) { #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\"; #\\\\
print \\\"$XCS REPORT: Stripped MS-TNEF attachment\\\\n\\\";
#\\\\
print \\\"Content-Description: SECURITY NOTICE\\\\n\\\\n\\\";
#\\\\
print $ENV{\\\"TNEF_WARNING\\\"}; #\\\\
$_ = $dfrhdr = $hdrtxt = \\\"\\\"; #\\\\
$strip_attachment = 1; #\\\\
$inmimehdr = 0; #\\\\
} #\\\\
while (($filen) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:.*name\\\\s*=\\\\s*\\\"([^\\\"]+\\\\.($ENV{\\\"MANGLE_EXTENSIONS\\\"})(\\\\?=)?)\\\"/io)
{ #\\\\
$stripped = 0; #\\\\
if (!$poisoned && ($specf =
$ENV{\\\"STRIPPED_EXECUTABLES\\\"})) { #\\\\
if (open(STRIPPED,$specf)) { #\\\\
warn \\\"Checking \\\\\\\"$filen\\\\\\\" for
stripping.\\\\n\\\"; #\\\\
while (chomp($stp_spec = )) { #\\\\
$stp_spec =~ s/^\\\\s+//g; #\\\\
$stp_spec =~ s/\\\\s.*$//g; #\\\\
next unless $stp_spec; #\\\\
$stp_spec =~ s/([^\\\\\\\\])\\\\./$1\\\\\\\\./g;
#\\\\
$stp_spec =~ s/\\\\*/.*/g; #\\\\
$stp_spec =~ s/([^\\\\(])\\\\?/$1./g; #\\\\
$stp_spec .= \\\"(\\\\\\\\?=)?\\\\$\\\" unless $stp_spec
=~ /\\\\$/; #\\\\
warn \\\"Checking against
\\\\\\\"$stp_spec\\\\\\\"\\\\n\\\" if $ENV{\\\"DEBUG\\\"}; #\\\\
if ($filen =~ /^${stp_spec}/i) { #\\\\
warn \\\" Stripped executable
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$stripped = 1; #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\";
#\\\\
print \\\"$XCS REPORT: Attachment
\\\\\\\"$filen\\\\\\\" stripped\\\\n\\\"; #\\\\
print \\\"Content-Description: SECURITY
NOTICE\\\\n\\\\n\\\"; #\\\\
print $ENV{\\\"STRIPPED_WARNING\\\"}; #\\\\
print \\\"Filename: $filen\\\\n\\\\n\\\"; #\\\\
print \\\"More headers follow:\\\\n\\\\n\\\" unless
$pastmsghdr; #\\\\
$_ = $dfrhdr = $hdrtxt = \\\"\\\"; #\\\\
$strip_attachment = 1; #\\\\
$inmimehdr = 0; #\\\\
last; #\\\\
} #\\\\
} #\\\\
close(STRIPPED); #\\\\
} else { #\\\\
warn \\\" Unable to open stripped-executables file
\\\\\\\"$specf\\\\\\\".\\\\n\\\"; #\\\\
} #\\\\
} #\\\\
if (!$poisoned && !$stripped && ($specf =
$ENV{\\\"POISONED_EXECUTABLES\\\"})) { #\\\\
if (open(POISONED,$specf)) { #\\\\
warn \\\"Checking \\\\\\\"$filen\\\\\\\" for
poisoning.\\\\n\\\"; #\\\\
while (chomp($psn_spec = )) { #\\\\
$psn_spec =~ s/^\\\\s+//g; #\\\\
$psn_spec =~ s/\\\\s.*$//g; #\\\\
next unless $psn_spec; #\\\\
$psn_spec =~ s/([^\\\\\\\\])\\\\./$1\\\\\\\\./g;
#\\\\
$psn_spec =~ s/\\\\*/.*/g; #\\\\
$psn_spec =~ s/([^\\\\(])\\\\?/$1./g; #\\\\
$psn_spec .= \\\"(\\\\\\\\?=)?\\\\$\\\" unless $psn_spec
=~ /\\\\$/; #\\\\
warn \\\"Checking against
\\\\\\\"$psn_spec\\\\\\\"\\\\n\\\" if $ENV{\\\"DEBUG\\\"}; #\\\\
if ($filen =~ /^${psn_spec}/i) { #\\\\
warn \\\" Trapped poisoned executable
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$poisoned = 1; #\\\\
print \\\"Content-Type: TEXT/PLAIN;\\\\n\\\";
#\\\\
print \\\"$XCS NOTIFY\\\\n\\\" if
$ENV{\\\"SECURITY_NOTIFY\\\"} || $ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"};
#\\\\
print \\\"$XCS REPORT: Trapped poisoned executable
\\\\\\\"$filen\\\\\\\"\\\\n\\\" if $ENV{\\\"SECURITY_NOTIFY\\\"} ||
$ENV{\\\"SECURITY_NOTIFY_VERBOSE\\\"}; #\\\\
print \\\"$XCS QUARANTINE\\\\n\\\" if
$ENV{\\\"SECURITY_QUARANTINE\\\"}; #\\\\
print \\\"Content-Description: SECURITY
WARNING\\\\n\\\\n\\\"; #\\\\
print $ENV{\\\"POISONED_WARNING\\\"}; #\\\\
last; #\\\\
} #\\\\
} #\\\\
close(POISONED); #\\\\
} else { #\\\\
warn \\\" Unable to open poisoned-executables file
\\\\\\\"$specf\\\\\\\".\\\\n\\\"; #\\\\
} #\\\\
} #\\\\
unless ($stripped) { #\\\\
warn \\\" Mangling executable filename
\\\\\\\"$filen\\\\\\\".\\\\n\\\"; #\\\\
$newfilen = $filen; $filen = quotemeta($filen); #\\\\
$newfilen =~
s/\\\\.([-a-z0-9{}]+(\\\\?=)?)$/.${$}DEFANGED-$1/i; #\\\\
$hdrtxt =~
s/name\\\\s*=\\\\s*\\\"?${filen}\\\"?/name=\\\"$newfilen\\\"/ig; #\\\\
$mangle_mime_type = 1; #\\\\
} #\\\\
} #\\\\
if ($mangle_mime_type && $hdrtxt =~ /^Content-Type:\\\\s/i) {
#\\\\
($oct) = $hdrtxt =~
/^Content-Type:.*\\\\s(\\\\S+\\\\/\\\\S+;?)/i; #\\\\
warn \\\" Mangling MIME type \\\\\\\"$oct\\\\\\\".\\\\n\\\";
#\\\\
unless ($oct =~ /application\\\\/octet-stream;/i) { #\\\\
print \\\"$XCS original Content-Type was $oct\\\\n\\\";
#\\\\
$oct = quotemeta($oct); #\\\\
$hdrtxt =~ s/${oct}/application\\\\/octet-stream;/i;
#\\\\
} #\\\\
} #\\\\
if ($mangle_mime_type && $hdrtxt =~ /\\\\sx-mac-\\\\S+/i) {
#\\\\
$eudora = \\\"\\\"; #\\\\
while (($eh) = $hdrtxt =~
/(\\\\sx-mac-\\\\S+\\\\s*=\\\\s*\\\\S+;?)/i) { #\\\\
$eudora .= $eh; #\\\\
$eh = quotemeta($eh); #\\\\
$hdrtxt =~ s/${eh}//i; #\\\\
} #\\\\
print \\\"$XCS removed$eudora\\\\n\\\"; #\\\\
} #\\\\
if (($junk) = $hdrtxt =~
/^Content-Type\\\\s*:\\\\s+(.{128}).{100,}$/i) { #\\\\
warn \\\" Truncating long Content-Type header.\\\\n\\\";
#\\\\
$junk =~ s/\\\"/\\\\\\\\\\\"/g; #\\\\
$hdrtxt = \\\"Content-Type: X-BOGUS\\\\/X-BOGUS;
originally=\\\\\\\"$junk...\\\\\\\"\\\"; #\\\\
} elsif (($junk) = $hdrtxt =~
/^Content-Description\\\\s*:\\\\s+(.{128}).{100,}$/i) { #\\\\
warn \\\" Truncating long Content-Description header.\\\\n\\\";
#\\\\
$hdrtxt = \\\"Content-Description: $junk...\\\"; #\\\\
} elsif (($junk) = $hdrtxt =~
/^Content-[-\\\\w]+\\\\s*:\\\\s+(.{128}).{100,}$/i) { #\\\\
warn \\\" Truncating long MIME header.\\\\n\\\"; #\\\\
$junk =~ s/\\\"/\\\\\\\\\\\"/g; #\\\\
$hdrtxt =~ s/^Content-([-\\\\w]+)\\\\s*:.*$/X-Overflow:
Content-$1; originally=\\\"$junk...\\\"/i; #\\\\
} #\\\\
$hdrtxt =~ s/\\\\\\\\\xFF/\\\\\\\\\\\"/g; #\\\\
print \\\"$hdrtxt\\\\n\\\" if $hdrtxt; #\\\\
$hdrtxt = \\\"\\\"; #\\\\
if (!$inmimehdr) { #\\\\
if ($dfrhdr) { #\\\\
if ($mangle_mime_type && $dfrhdr =~ /^Content-Type:\\\\s/i) {
#\\\\
($oct) = $dfrhdr =~
/^Content-Type:[^\\\\n]*\\\\s(\\\\S+\\\\/\\\\S+;?)/i; #\\\\
warn \\\" Mangling MIME type
\\\\\\\"$oct\\\\\\\".\\\\n\\\"; #\\\\
unless ($oct =~ /application\\\\/octet-stream;/i) {
#\\\\
print \\\"$XCS original Content-Type was $oct\\\\n\\\";
#\\\\
$oct = quotemeta($oct); #\\\\
$dfrhdr =~ s/${oct}/application\\\\/octet-stream;/i;
#\\\\
} #\\\\
} #\\\\
print $dfrhdr; $dfrhdr = \\\"\\\"; #\\\\
} #\\\\
$poisoned = $mangle_mime_type = 0; #\\\\
} #\\\\
} #\\\\
if (/^\\\\S/) { #\\\\
s/\\\\s*\\\\n$//; #\\\\
$hdrtxt = $_; #\\\\
$_ = \\\"\\\"; #\\\\
$hdrcnt++; #\\\\
} else { #\\\\
$hdrcnt = 0; #\\\\
$hdrtxt = \\\"\\\"; #\\\\
} #\\\\
} #\\\\
} #\\\\
} #\\\\
\\\' 2>> $LOGFILE\\\"
procmail: Rescue of unfiltered data succeeded
------------------------------------------
〇From: \x{2664}\xABH\xACOパ扤\xA4p\xB9q\xA4l\xB6lン1.0扤扤\xB5o\xA5X...
http://www.tyes.tyc.edu.tw
mis(_at_)mail(_dot_)tyes(_dot_)tyc(_dot_)edu(_dot_)tw
_______________________________________________
procmail mailing list
procmail(_at_)lists(_dot_)RWTH-Aachen(_dot_)DE
http://MailMan.RWTH-Aachen.DE/mailman/listinfo/procmail