[Esa-l] Email Sanitizer hanging

Bjarni Runar Einarsson bre at netverjar.is
Thu Oct 26 03:05:29 PDT 2000 

On 2000-10-25, 20:26:36 (-0700) John D. Hardin wrote:
> > and I don't see how my changes might have caused any problem:
> > 
> >   MANGLE_EXTENSIONS=''
> >   #MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt
> > ]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|m
> > s[ip]|reg|asd|cil'
> >
> > Is my only change from the stock script.
> 
> Ouch. That pretty much completely defangs the sanitizer.
> 
> If your users are complaining about mangled .DOC and .HTML attachment
> filenames, then cut just those out of MANGLE_EXTENSIONS. Nulling the

People resorting to tricks like these really should check out my Anomy
sanitizer (http://mailtools.anomy.net/), as an alternative to John's work.
It allows you to specify exactly which extensions you *need* to recieve
unmangled, which you want to virus scan before delivery and and will enforce
a "safe" policy (such as file-name/MIME-type mangling) for any unknowns.

Basically, this means that a properly configured Anomy sanitizer doesn't
have you worrying about new dangerous file types all the time.  Since I
installed it here at work in August I haven't had to make a single change to
the rules I'm using (excluding bug fixes), in spite of all the new exploits
that have appeared since then.

Also, the Anomy sanitizer is designed to be more scalable than John's
sanitizer - it all runs within a single perl process.  It *might* be a bit
more CPU intensive for some messages, but uses no temporary disk space
(unless it invokes a third party virus scanner), involves much fewer forks
and has bounded memory usage.  In short, it's a CPU hog like all perl
programs, but it doesn't abuse any of your other system resources.  CPU is
rarely the bottleneck in modern systems...


The Anomy code is based on John's sanitizer, and includes a port of both his
HTML defanger and the macro scanner.  Additional features include a more
flexible rule-based configuration and support for external virus scanners.
John has expressed interest in merging the two projects, but neither of us
has found time. :-)

-- 
Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
 bre at netverjar.is              -><-             http://bre.klaki.net/

More information about the esd-l mailing list