[Esd-l] 1.133 "procmail: Failed to execute" and "procmail: Program failure (69) of" errors

Huba Leidenfrost huba at uidaho.edu
Sat Jan 19 23:18:00 PST 2002


Once again since some people probably had that message blocked due to me
leaving the MIME headers in the body of the last message:

I am testing our 1.133 planned upgrade prior to deploying it and need help
from another pair of eyes.  I'm seeing a couple of errors when sending a
simple test with a vbs attachment named me.vbs (simply a text file named
me.vbs).  This is a stock install with the only mods being to the config
file in order to quarantine to a directory and log to a central spot.  At
bottom is the procmailrc if it is useful.  Like

The two error message I'm getting are:

[1] procmail: Failed to execute "From huba at uidaho.edu  Sat Jan 19 22:35:28
2002
[2] procmail: Program failure (69) of " perl -p -e '        #\

This is right out of $LOGFILE:

procmail: [13821] Sat Jan 19 22:35:28 2002
procmail: Match on ! "[^ ]"
procmail: Score:       0       0
"\<(html|title|body|meta|app|script|object|embed|i?frame|style|img|bgsound|l
ayer|lin
k)"
procmail: Score:       0       0
?[       ]*["'](&{|([a-z]+script|mocha):)"
procmail: No match on ! "[^ ]"
procmail: No match on "^begin[  ]+([0-9]+)?[    ]+[^    ]+"
procmail: Match on ! "^X-Content-Security: \[hawk\] (QUARANTINE|DISCARD)"
procmail: Score: 2147483647 2147483647
^Content-Type[  ]*:.*(application|multipart)/[^ ]*;"
procmail: Assigning "LOG=Sanitizing MIME attachment headers in "me.vbs" from
"Huba Leidenfrost" <huba at uidaho.edu> to
unxtest9   msgid=<DBEJJCJBGAJIEKMBEDJGMEPNCAAA.huba at uidaho.edu>
"
Sanitizing MIME attachment headers in "me.vbs" from "Huba Leidenfrost"
<huba at uidaho.edu> to unxtest9   msgid=<DBEJJCJ
BGAJIEKMBEDJGMEPNCAAA.huba at uidaho.edu>
procmail: Assigning "LOGFILE=/var/adm/syslog/sanitizer.log"
procmail: Opening "/var/adm/syslog/sanitizer.log"
procmail: Assigning "POISONED_SCORE=150"
procmail: Executing " perl -p -e '      #\
[....]
    ' 2>> $LOGFILE"
procmail: Failed to execute "From huba at uidaho.edu  Sat Jan 19 22:35:28 2002
Return-Path: <huba at uidaho.edu>
Received: from bouake (securityby.obscurity.uidaho.edu [129.101.7.7])
        by hawk.csrv.uidaho.edu (GOVANDALS! (GO!GO!GO!)/) with SMTP id
WAA13819
        for <unxtest9 at uidaho.edu>; Sat, 19 Jan 2002 22:35:26 -0800 (PST)
From: "Huba Leidenfrost" <huba at uidaho.edu>
To: <unxtest9 at uidaho.edu>
Subject: me.vbs
Date: Sat, 19 Jan 2002 22:35:33 -0800
Message-ID: <DBEJJCJBGAJIEKMBEDJGMEPNCAAA.huba at uidaho.edu>
MIME-Version: 1.0

[....MIME foo taken out so this doesn't get blocked by your sanitizer]

procmail: Program failure (69) of " perl -p -e '        #\
      $pastmsghdr = 1 if /^\s*$/;       #\
      $XCS = "X-Content-Security: [" . $ENV{"HOST"} . "]" unless $XCS;  #\
      if ($pastmsghdr) {        #\
        if (!$mimebdry && $mimebdrs[0]) {       #\
          warn " Found no MIME boundary.\n" if $ENV{"DEBUG"};   #\
          $mimebdry = pop @mimebdrs;    #\
          $newbdry = pop @newbdrs;      #\
          $rawbdry = pop @rawbdrs;      #\
          $bdrytoolong = pop @bdrstoolong;      #\
          $gotbdry = pop @gotbdrs;      #\
          $nullbdry = pop @nullbdrs;    #\
        }       #\
        $_ = "" if $strip_attachment && !$gotbdry;      #\
      } else {  #\
        if (($type,$format,$junk) =
/^Content-Type\s*:\s.*(application|multipart|message)\/(\S+)(;.*)?$/i)
{    #\
          $wanthdr = 1; #\
          print "X-Security: MIME headers sanitized on ", $ENV{"HOST"},
"\n";   #\
          print "\tSee
http://www.impsec.org/email-tools/sanitizer-intro.html\n";       #\
          print "\tfor details. \$Revision: 1.4 $x\$Date: 2002/01/10
17:18:51 $x\n";    #\
          print "X-Security: The postmaster has not enabled quarantine of
poisoned messages.\n" unless $ENV{"SECURITY
_QUARANTINE"};  #\
          if ($type =~ /application/i) {        #\
            $inmimehdr = 1;     #\
          } elsif ($type =~ /message/i && $format =~ /rfc822/i) {       #\
            $rcrsmsg = $inmimehdr = 1;  #\
          }     #\
        } elsif (/^\S/) {       #\
          $wanthdr = 0; #\

[....so this isn't too long to read]

      } #\
    ' 2>> $LOGFILE"
procmail: Rescue of unfiltered data succeeded
procmail: No match on "^X-Content-Security: \[hawk\]
(NOTIFY|QUARANTINE|DISCARD)"
procmail: Assigning "POISONED_EXECUTABLES="
procmail: Assigning "POISONED_SCORE="
procmail: Assigning "SCORE_HISTORY="
procmail: Assigning "SECURITY_QUARANTINE="
procmail: Assigning "SECURITY_NOTIFY="
procmail: Assigning "SECURITY_NOTIFY_SENDER_POSTMASTER="
procmail: Assigning "SECRET="
procmail: Assigning "LOGFILE="
procmail: Assigning "LASTFOLDER=/dev/null"
procmail: Opening "/dev/null"

#Here's my procmailrc:

# $Id: procmailrc,v 1.5 2002/01/11 01:48:24 huba Exp $
PATH="/usr/bin:$PATH:/usr/local/bin"
SHELL=/bin/sh
############################################################################
##############################
# Homepage for this sanitzer program:
#
#       http://www.impsec.org/email-tools/procmail-security.html
#
# NOTE: any value at all will enable the function that the variable
controls.
# In particular, this means that setting the variable to "NO" will not
disable
# the function. If you wish to disable the function, set the variable
explicitly
# to nothing like so:
#
# DEBUG_VERBOSE=""
#
#     or
#
# DEBUG_VERBOSE=
############################################################################
##############################
# list of extensions to mangle
#       This is the default listed here just so you don't have to grep it
from the filter file.
#       Typically you would not modify this here.  Remember any
#
MANGLE_EXTENSIONS='html?|exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[sw
t]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[ab
ew]|ms[ip]|reg|asd|cil|pps|asx|wm[szd]|vcf|nws|\{[-0-9a-f]+\}'
############################################################################
##############################
# prevent html, doc, xls, vcf attachment mangling for UI-->UI e-mail
#       Let's give this a whirl this version and see how it works out;
should cut down on complaints
#       the Help Desk will see
:0
* ^From:.*<[a-z0-9]+ at uidaho.edu>
* ^To:.*<[a-z0-9]+ at uidaho.edu>
{

MANGLE_EXTENSIONS='exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|dot|xl[wt]|p[po]t|
rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abew]|ms[ip]
|reg|asd|cil|pps|asx|wm[szd]|nws|\{[-0-9a-f]+\}' }
#####################################
# Name of policy file containing filespecs of files to poison
POISONED_EXECUTABLES="/etc/procmail/poisoned-files"
# name of policy file with filespecs to strip
#STRIPPED_EXECUTABLES=
# Disable scanning of Microsoft Office file attachments for dangerous macros
#DISABLE_MACRO_CHECK=
# Macro scanner score at which to consider the attachment poisoned
POISONED_SCORE=150
# Where to log macro scanner scores
SCORE_HISTORY="/var/adm/syslog/macro-scanner-scores.log"
# If you would like to see how the scanner calculated the macro score
#SCORE_DETAILS=
# Only scan for scoring, do not poison based on score; not recommended
#SCORE_ONLY=
# Where to save poisoned messages
#               (was /dev/null in previous version)
#       File or directory must exist
#       Create /var/ick dir and make it 733 owned by root:root for
individual files
#       Create /var/ick file and make it 622 owned by root:root for one
mailbox to hold quarantines
#       We went with the local dir so that it would be easier to have an
anti-virus program later on
#       Until then I will write a program to MRTG how many attachments we
are sanitizing an hour for
#       "MasterBlaster" aka. "slap-happy-MRTG-chappy" aka. "Tivo Rulz" aka.
"Gnatbox Prognosticator"
SECURITY_QUARANTINE="/var/ick"
# If quarantine of a message fails, don't bounce it.
#SECURITY_QUARANTINE_OPTIONAL=
# Who to notify if an attack is detected
#       Eventually set this to nobody because the quarantine file/dir will
be where we will grab stats for MRTG on
#       the number of poisoned files quarantined
SECURITY_NOTIFY=huba
# Who to notify if an attack is detected but with entire attachment included
#       NOTE: that this is a lot of messages and will fill up your inbox
FAST
#       CAUTION: Flip side is you can capture wild animals for your own
little private virus zoo.
#SECURITY_NOTIFY_VERBOSE=
# Should the sender of the attack message be notified?
# Could set it to contents of a file like for instance
/etc/procmail/notify.txt
# Currently it sends a brief message see body of sanitizer for what it is.
SECURITY_NOTIFY_SENDER=YES
# Should the postmaster of the sender's domain be notified?
#       Previously this was off; we'll try and see if this is worthwhile.
#SECURITY_NOTIFY_SENDER_POSTMASTER=
# Should the intended recipient of the attack message be notified?
#       Not fully tested yet so don't use as of yet
#SECURITY_NOTIFY_RECIPIENT=
# Strip MS-TNEF attachments completely
#SECURITY_STRIP_MSTNEF=
# Text to include when attachments (except MS-TNEF) are stripped
#       See default already coded into the sanitizer.
#STRIPPED_WARNING=
# Text to include when attachments are poisoned
#       See default already coded into the sanitizer.
#POISONED_WARNING=
# Text to include when MS-TNEF attachments are stripped
#       See default already coded into the sanitizer.
#TNEF_WARNING=
# Defang signed messages
#SECURITY_DEFANG_SIGNED=
# Trust HTML code in messages
#SECURITY_TRUST_HTML=
# Disable inline images and sounds
#       This is a new thing.  Let's see how well it works.
#       NOTE: This should strip webbugs from everything but Office
documents.
DEFANG_WEBBUGS=YES
#####################################
# allow <IMAGE> and <BGSOUND> tags for UI-->UI email
#       Let's try this since we are more concerned with the add-trackers who
do this from outside our domain
:0
* ^From:.*@uidaho.edu>
* ^To:.*@uidaho.edu>
{
    DEFANG_WEBBUGS=
}
#####################################
# Disable style tag defanging
#SECURITY_TRUST_STYLE_TAGS=
#####################################
# Allow <STYLE> tags for UI-->UI email
:0
* ^From:.*@uidaho.edu>
* ^To:.*@uidaho.edu>
{
    SECURITY_TRUST_STYLE_TAGS=YES
}
#####################################
# Don't notify on Excessively Long subjects
#SECURITY_NONOTIFY_LONGSUBJECT=
# A short (20 characters or so) string chosen at random
#       NOTE: Change occasionally; only used for a check against people
trying to fake messages that will
#       get by the sanitizer.  Keep around 20 characters give or take a few.
SECRET="Residential campus of choice"
# Where to save the sanitizer log messages
#       NOTE: was $HOME/procmail.log
#       NOTE: to use this logfile has to exist and be created root:root with
622 perms
#       NOTE: that is rw--w--w- for you non-octal folks
LOGFILE="/var/adm/syslog/sanitizer.log"
# Enable output of some debugging information from the sanitizer
#DEBUG=YES
# Turn on verbose debugging of the sanitizer
DEBUG_VERBOSE=YES
# Change the embedded "poisoned attachment" warning text
#       NOTE: see sanitizer code for default verbage
#       NOTE: see sanitizer docs for proper syntax if adding a multiline
warning here
#POISONED_WARNING=
# Change the embedded warning text for stripped MS-TNEF attachments
#       NOTE: see sanitizer code for default verbage
#TNEF_WARNING=
# The sanitizer should drop privileges before scanning the message so
message is scanned as user
DROPPRIVS=YES
#####################################
# Finished setting up, now run the sanitizer...
INCLUDERC="/etc/procmail/html-trap.procmail"
# Reset some things to avoid leaking info to
# the users...
# Basically everything that had a value above should be reset to NULL
POISONED_EXECUTABLES=
POISONED_SCORE=
SCORE_HISTORY=
SECURITY_QUARANTINE=
SECURITY_NOTIFY=
SECURITY_NOTIFY_SENDER_POSTMASTER=
SECRET=
LOGFILE=
DROPPRIVS=



More information about the esd-l mailing list