[Esd-l] Weird behavior on some attachments

[Mark Wendt]

Eric,

         I should have included the log traces in the last email, so here 
goes.  The first one is being sent from Outlook 2000:

Sanitizing executable UUE attachments from "Doug" <xxx at xxx.xxx.xxx.xxx>
to xxx  msgid=<003d01c188c5$b2ee96c0$1c20fa84 at xxx.xxx.xxx.xxx>
  Mangling executable filename "pass32.exe".
 From xxx at xxx.xxx.xxx.xxx  Wed Dec 19 14:43:59 2001
  Subject:
   Folder: /var/mail/xxx

         This gave me an attachment named pass32.887739DEFANGED-exe

         This one is sent from Outlook 2000:

Sanitizing MIME attachment headers in "test" from "Test" 
<xxxx at xxx.xxx.xxx.xxx>
to wendt   msgid=<MJEDKDCLLPLNLIPHAMPKKEADCAAA.xxx at xxx.xxx.xxx.xxx>
Checking "cfwindem.exe" for stripping.
  Stripped executable "cfwindem.exe".
 From xxx at xxx.xxx.xxx.xxx  Wed Dec 19 15:03:08 2001
  Subject: test
   Folder: /var/mail/xxx

         This resulted in what looked like a stripped executable, but the 
MIME encoded attachment ended up being the body of the email, along with 
the two line message originally sent as the body of the email.

         The last is the same executable sent from Eudora:

Sanitizing MIME attachment headers from xxx <xxx at xxx.xxx.xxx.xxx> to 
xxx   msgid=<5.1.0.14.2.20011220102212.00ad6888 at xxx.xxx.xxx.xxx>
Checking "cfwindem.exe" for stripping.
  Stripped executable "cfwindem.exe".
 From xxx at xxx.xxx.xxx.xxx  Thu Dec 20 10:22:42 2001
  Subject:
   Folder: /var/mail/xxx

         This time the executable was stripped clean, and the body of the 
email was intact, with a message included saying the message was stripped.

Mark


At 09:47 AM 12/20/2001 -0500, you wrote:
>Hello,
>
> > >I just want to strip the attachment completely off, leaving the body 
> of the
> > >email intact.
> >
> > I am ready to be flamed for this, but if memory serves me, John has
> > implemented stripping only as a by-product of his local.procmail handling
> > code, and only in the most recent version of the sanitizer (which I'm not
> > using yet, naughty me...)
>
>Right.. the latest version does support stripping attachments.  It actually
>works exactly like the system for poisoning an attachment.  As long as the
>extension is listed in the MANGLE_EXTENTIONS list, you can add that extension
>to the file you defined with STRIPPED_EXECUTABLES and it will strip the file
>out of the email.
>
>For example, we strip 'exe' extensions at our location.  So, I verified that
>'exe' was one of the extensions being defanged (meaning it was in the
>MANGLE_EXTENSIONS).  I then edited my /etc/procmailrc, and added the line:
>
>STRIPPED_EXECUTABLES=/etc/procmail/stripped
>
>and then I just added *.exe to /etc/procmail/stripped.
>
>That will strip all exe extensions.  Since you wish strip all attachments, 
>just
>go right down the MANGLE_EXTENSIONS list and add em all to the stripped file:
>
>*.exe
>*.com
>*.cmd
>*.bar
>*.pif
>*.sc[rt]
>
>etc etc.
>
>Good luck!
>   -Eric
>
>--
>Eric Andreychek
>Residential Warranty Corporation
>(717) 561-4480 x2245
>_______________________________________________
>Esd-l mailing list
>Esd-l at spconnect.com
>http://www.spconnect.com/mailman/listinfo/esd-l