[Esd-l] Worms "caught" in mailboxes

John D. Hardin jhardin at impsec.org
Mon Apr 12 17:37:05 PDT 2004

On Mon, 12 Apr 2004, Brett Glass wrote:

> A client of mine is using John's sanitizer and is running into a frequent 
> problem. Every now and then, he can't retrieve his mail from the server; 
> the POP server software says that it can't parse the mail file. When he 
> opens the mail file in a text editor, he discovers that a worm has 
> arrived in his box. The sanitizer has chopped off the usual RFC822 
> headers, but has left the MIME attachments behind. Because the file 
> doesn't begin with a line that starts with "From", the POP server is 
> declaring the mailbox to be invalid and not allowing retrieval of the 
> message. Cutting out everything up to the first line beginning with 
> "From" solves the problem.
> Is this a bug in the sanitizer?

Possibly; I never claim to be perfect... :)

I've not heard of it chopping off ALL of the RFC822 headers. Does the
message show any other signs of having been sanitized? Are the MIME
attachment headers mangled?

It might be formail failing and wiping out the headers when a local
rule fires. Is local-rules in use? Does commenting out the include of
local-rules help?

> In Procmail?

Possibly, but that's a lot worse than the "missing F" bug.

Locking perhaps? What (if anything) does the procmail log say when
this happens?

You could put a detection rule like this right after the local-rules
and sanitizer includes:

   * ! ^Date:

> The system is running 
> FreeBSD 4.9 and a recent version of Procmail; the sanitizer is version 1.138.

Would it be possible for him to update to the current release before
we try to troubleshoot further?

Someone else on FreeBSD just reported the exact same thing happening.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  Bush? Kerry? I'm so sick of our elections always being "choose the
  lesser of two evils."
   204 days until the Presidential Election

More information about the esd-l mailing list