[Esa-l] Possible suggestions...

Murray Crane mecha.ike at hydramedia.com
Fri Nov 24 07:31:52 PST 2000


Jon,

At 06:30 24/11/00 -0800, you wrote:
>What I plan to achieve (Real Soon Now!) is to have attachment filename
>poisoning separate[sic] from mangling, and have mangling be
>user-selectable to be MANGLE_LIST or SAFE_LIST (e.g. "mangle all
>except").

>I've been thinking of something similar to that, given the number of
>questions I receive about why the sanitizer is mangling .DOC files and
>how to stop it.

Ah, the open sourcers friend, RSN :-)  Separate mangling and poisoning 
would kill the one little bird of 'issue' that I have with the sanitizer as 
it currently stands (V1.123)

The idea of the external addition to the mangle list is to allow site 
admins to add in extra file types to the default mangle list without 
banging the perl (and the opportunities for error that introduces).

I operate the sanitizer here in a rather over-the-top way (a 
poisoned-executables file full of "*.whatevers") but I can see that there 
would be others who would want less stuff mangled/poisoned.  You're faced 
with striking a happy medium out of the box.  It's a case of "Not 
explicitly denied" and erring on the side of caution in the mangle list 
(although your SAFE_LIST idea is more like "Not explicity allowed"). Hmm...

>Of course! This is open source after all. However: the latest version
>has a SECURITY_NOTIFY_RECIPIENT option - what version are you running?

Wrong end of the stick (partly my fault).

I don't particularly want users here knowing that an e-mail didn't get 
delivered to them, whatever the reason (ignorance being bliss...), but I 
(as postmaster) want to know that Alice sent Bob an email which was blocked 
because of attachment/macros, and I want Alice to know that we don't like 
what he/she tried to send to Bob.

I'm talking about $STATUS and $STATUS_PUBLIC for SECURITY_QUARANTINE.  I've 
tweaked V1.123 so that SECURITY_QUARANTINE messages include $TO (like 
SECURITY_NOTIFY), but more often than not that's a dist. list of email 
addresses, and I still get the 'msgid()'.  Really, all I want to see is the 
address that delivery at my site is being attempted to (does that make 
sense?) Is $MAIL_TO what I'm after, or does that only exist outside of the 
sanitizer? (I'll try that, so save yourself answering that query.)

That reminds me, how can I stop getting a copy of SECURITY_NOTIFY_SENDER 
sent to me as well?  The SECURITY_NOTIFY(_VERBOSE)? is amply sufficient 
thank-you. :-)

Kind regards

Murray Crane




More information about the esd-l mailing list