[Esd-l] Mysterious failures

John D. Hardin jhardin at impsec.org
Fri Jan 30 21:18:35 PST 2004 

On Fri, 30 Jan 2004, Albert McCann wrote:

> Here is a header from one: (text continues below)
> 
> -------------
> Message-Id: <200401301733.i0UHXGAk030255 at diskless11.axs2000.net>
> Received: (qmail 29026 invoked for bounce); 30 Jan 2004 17:33:17 -0000
> Date: 30 Jan 2004 17:33:17 -0000
> From: MAILER-DAEMON at atl.globix.net
> To: steve at septa.org
> Subject: failure notice
> X-Virus-Pattern-Match: MyDoom/Novarg worm

You might want to make a local rule for that particular header...

> Hi. This is the qmail-send program at atl.globix.net.
> I'm afraid I wasn't able to deliver your message to the following addresses.
> This is a permanent error; I've given up. Sorry it didn't work out.
> 
> <michael at attentionllc.com>:
> 209.195.35.225 does not like recipient.
> Remote host said: 553 <michael at attentionllc.com>... No such user here
> Giving up on 209.195.35.225.
> 
> --- Below this line is a copy of the message.
> 
> Return-Path: <steve at septa.org>
> Received: (qmail 29021 invoked from network); 30 Jan 2004 17:33:15 -0000
> Received: from unknown (HELO septa.org) (208.168.88.94)
>   by mx01.atl.globix.net with SMTP; 30 Jan 2004 17:33:15 -0000

Note that qmail is pasting the original message into the body of the
bounce, NOT attaching it as a MIME attachment. There is no way for the
sanitizer to know that there is another message buried within the
bounce.

> Note the split Content-Type: and Content-Disposition: lines above.

That's because they haven't been sanitized. Wrapped headers are
perfectly legitimate. The sanitizer un-wraps them so they're easier to
deal with internally, and downstream (e.g. if you had procmail rules
after the sanitizer) ... but only if it thinks they're MIME headers
rather than body text.

> That attachment isn't seen by the Sanitizer or local-rules, and
> McAfee is beating me to death with complaints about infected
> messages. ;-)

Yep. Sorry. There's not much I can do if the message is pasted into
the message body rather than being a proper MIME RFC-822 message
attachment.

> On a slightly different topic: I'd like to publicly thank John
> Hardin for the Sanitizer, you have saved me and my employer much
> grief.

You're very welcome.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   64 days until the Slovakian Presidential Election

More information about the esd-l mailing list