[Esd-l] Email Sanitizer identify zip as Office attachments

mikechiarappa at libero.it mikechiarappa at libero.it
Wed Apr 21 10:35:57 PDT 2004 

Hello,  
  
I have installed E-mail Sanitizer, three days ago, into my Linux Server (SuSE 9.0 Pro, MTA postfix) and work good but it don't 
scan .zip attachments.  
  
I use this [/etc/procmailrc] file:  
  
# /etc/procmail/procmailrc  
  
PATH="/usr/bin:$PATH:/usr/local/bin"  
SHELL=/bin/sh  
  
POISONED_EXECUTABLES=/etc/procmail/poisoned-files  
ZIPPED_EXECUTABLES=/etc/procmail/poisoned-files-zip  
# STRIPPED_EXECUTABLES=/etc/procmail/stripped-files  
SECURITY_NOTIFY="postmaster"  
SECURITY_NOTIFY_VERBOSE=""  
SECURITY_NOTIFY_SENDER=""  
SECRET="ujytmhb24yfi2i42309tgh"  
SECURITY_POISON_WINEXE=YES  
  
# This file must already exist, with proper permissions (rw--w--w-):  
SECURITY_QUARANTINE=/var/spool/mail/quarantine  
  
POISONED_SCORE=25  
# This file must already exist, with proper permissions (rw--w--w-):  
SCORE_HISTORY=/var/log/macro-scanner-scores  
  
# This file must already exist, with proper permissions (rw--w--w-):  
LOGFILE=/var/log/procmail.log  
  
# DEBUG=YES  
# DEBUG_VERBOSE=YES  
  
# Use Perl CPAN Modules MIME::Base64 and File::mktemp  
USE_CPAN=YES  
  
# Finished setting up, now run the sanitizer...  
INCLUDERC=/etc/procmail/html-trap.procmail  
  
# Reset some things to avoid leaking info to  
# the users...  
POISONED_EXECUTABLES=  
ZIPPED_EXECUTABLES=  
STRIPPED_EXECUTABLES=  
SECURITY_NOTIFY=  
SECURITY_NOTIFY_VERBOSE=  
SECURITY_NOTIFY_SENDER=  
SECURITY_QUARANTINE=  
SECRET=  
  
# --- End of /etc/procmail/procmailrc  
  
For test I have sended an email with the attach file [fakevirus.zip] and have noted in [procmail.log] this row:  
  
Checking Office document "=?iso-8859-1?Q?fakevirus.zip?=" for poisoning.  
  
Seems that Sanitizer don't recognize attachment as a zip file but as an Office file.  
I have tried to disable perl packages MIME::Base64 and File::MkTemp using [mimencode] and [mktemp] esternal commands  
instead, and setting USE_CPAN=OFF, but the result is the same.  
  
Do you have some suggestion or hint about this problem ?  
Now I have inserted *.zip files into POISON_EXECUTABLES list.... :-))  
  
Thank you.  
  
Mike Chiarappa  
mikechiarappa at libero.it

More information about the esd-l mailing list