[Esd-l] Yves Agostini's script

John D. Hardin jhardin at impsec.org
Wed Feb 25 19:07:47 PST 2004

On Wed, 25 Feb 2004, Smart,Dan wrote:

> What I meant to say was that setting the "MANGLE_EXTENSIONS"
> variable to 'zip', which is what the example Procmail code in
> testzip.pl does is not enough to actually strip or poison the zip
> attachment as I understand the Sanitizer.  The extension also
> needs to be in "poisoned" or "stripped" for something to actually
> happen.  Right?

Right. Changing $MANGLE_EXTENSIONS would cause the attachment to be
mangled, but unless a matching ".zip" filespec were in the poison or
strip list, the email would still be delivered.

Also, changing $MANGLE_EXTENSIONS to just "zip" means that you prevent
the sanitizer from defending against any other non-zip attack
attachment in the same message...

> Seems like this should do the following:
> 1. See if zip contains dangerous executable
> 	a. If yes, mark message as "discard"
> 	b. If no, send it on unaltered
> I don't understand what the "mangle" state if for?

It is possible for the end user to unmangle the attachment and
retrieve it. More detailed questions Yves will have to answer.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   38 days until the Slovakian Presidential Election

More information about the esd-l mailing list