[Esd-l] Stripping Attachments?

John D. Hardin jhardin at impsec.org
Sat Jan 12 20:10:01 PST 2002

On Sat, 12 Jan 2002, Paul Thomas wrote:

> I'm trying to implement the STRIPPED_EXECUTABLE feature. In my
> /etc/procmailrc, I put all the MANGLE_EXTENSIONS list in:
> STRIPPED_EXECUTABLES="/etc/procmail/stripped".

That's a bit extreme, unless you simply don't want to receive ANY
executable attachments whatsoever.

> Then in /etc/procmailrc, I put the following:
>      :0
>      * ^(To|Cc):.*some at address.com
>      {
> MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx||doc|

That's very bad... You're matching a NULL string there, so I think
*all* file attachments would be considered executable.

> bmp|dot|xl[wt]|p[po]t|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|html|ad[ep]|jse?|md[abew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd]|vcf|nws|\{[-0-9a-f]+\}' 

Mangling bitmap images? They're safe, unless somebody's found an
exploit that I haven't heard about. :)

>      }
> and omit the file extentions I want to not be stripped. In
> particular, I don't want to strip .rtf files for some at address.com,
> so it is omitted from the MANGLE_EXTENSIONS list. However when a
> .rtf file is sent to some at address.com, it is getting stripped
> unless I remove that extention from the
> STRIPPED_EXECUTABLES="/etc/procmail/stripped" list.

1) if a filename's extension is in the MANGLE_EXTENSIONS list, it will
be mangled, and it is also eligible for stripping or poisoning. For
the exception to this that's biting you, see below.

2) if an eligible filename matches a filespec in the STRIP list, it
will be stripped from the message and discarded.

3) if an eligible filename is in teh POISON list, the message will be
marked as poisoned, the attachment format will be mangled, and the
message will be quarantined if a quarantine is defined.
> I thought for a file to be stripped, the extention must appear in

That is true.

HOWEVER: Microsoft document extensions (such as RTF) have special
treatment. They will always be eligible for stripping and poisoning,
even if they don't appear in the MANGLE list. This is so they can be
scanned for macros even though their filenames aren't being mangled.

Take *.RTF (etc.) out of your strip file if you don't want them

> What happens if I list .html files to be stripped?

File attachments whose names end in .HTML will be stripped. Note that
this does NOT apply to text/html body parts; all of this
mangling/poisoning/stripping stuff only applies to file attachments.

> And, what does 'html?' do?

The ? makes the preceding character optional. It it equivalent to
"match 'htm' OR 'html'".

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                       pgpk -a jhardin at wolfenet.com
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Monty Python's Star Trek Voyager:
  A successful trans-warp experiment turns Paris and Janeway into
  newts, but they get better.
  ...wait a minute... It's already been done...
   7 days until Babylon 5: the Legend of the Rangers

More information about the esd-l mailing list