[Esd-l] ZIP scanning, take two (repost)

John D. Hardin jhardin at impsec.org
Tue Feb 24 06:00:34 PST 2004

On Sun, 22 Feb 2004, Simon Matthews wrote:

> > Okay, the list seems to be working again...
> Did it ever stop, or was it just your own email that was not
> working?

It appeared to be down for a bit after the 17th. I had some questions
from others, checked the archives and did not see my post or the
others' test posts. I notified Michael and saw a test post from him
but no announcement.

> While this will work, it has some limitations.

Oh, no doubt. It was just a tiny example to illustrate policy
definition methods.

> Most likely people will want to accept more filetypes from their
> own domain name, yet forging the "From" is common and we have one
> virus that uses "james@<recipient's domain name>"

If you want an open policy on messages from your local users, you
*must* check IP addresses in a trusted Received: header to reliably
detect internal origin. Nothing else works well, unless you have
control over the mailers and can have them insert a header that you
won't see on non-local messages.

> Could it be possible to change the banned filenames if the email
> is received from a trusted IP address? For example, from within
> the LAN or WAN? You could probably lift the code from SpamAssassin
> that deals with "trusted networks".

I don't want to build a lot of policy framework into the sanitizer
itself. You can easily do very flexible policy configuration through
standard procmail checking of the message and pointing at different
policy files through environment variables before calling the
sanitizer. This is how it was initially designed.

