[Esd-l] NovArg Email Got To Inbox

John D. Hardin jhardin at impsec.org
Tue Jan 27 05:53:40 PST 2004

On Tue, 27 Jan 2004, Mike McCandless wrote:

> I am using the Sanitizer w/ Postfix.  I have included email
> headers from an email that showed up in our inbox.  I have applied
> the NovArg local rules that John posted very recently.  Do I need
> to do something so that these never hit the inbox?

> Content-Disposition: attachment; filename="body.zip"

The sanitizer does not, by default, treat .ZIP attachments as hostile.

I have posted a local rule that detects some of them, I am working on
refining it. Unfortunately it appears that the .ZIP attachments may be
randomly named part of the time, so checking for filenames may not be
long term successful. I will see if the payloads have common strings
that can be keyed against as signatures.

You are, of course, free to add "zip" extensions to your local mangle
and poison lists if you wish. It may be wise to mangle non-whitelist
zip attachments for the next week or so while this runs its course.

 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   67 days until the Slovakian Presidential Election

More information about the esd-l mailing list