[Esd-l] Html-trap and received mail from yahoo.com

Frank Hahn buckeye+htmltrap at machlink.com
Fri May 17 05:03:01 PDT 2002 

Hello:

I have the following:

html-trap.procmail version 1.128
procmail version 3.15
Sparc 20 running Solaris 2.6

I have started using a script called fetchyahoo.pl which I found at
http://www.freshmeat.net to grab email from my yahoo.com account.  I
believe the email is being run through the sanitizer but for some
reason, it is not seeing programs that are included in this email.

For example, late last night, I received this (just the headers and a
little more):

>From "tdre"_<tdre at alsrn.o> Thu May 16 23:25:23 2002
X-Apparently-To: fhahn at yahoo.com via web13508.mail.yahoo.com; 16 May
2002 20:48:11 -0700 (PDT)
Return-Path: <mrshekar at earthlink.net>
Received: from hawk.mail.pas.earthlink.net (207.217.120.22)
  by mta465.mail.yahoo.com with SMTP; 16 May 2002 20:48:10 -0700 (PDT)
Received: from user-0c8h15n.cable.mindspring.com ([24.136.132.183]
helo=Wfll)
        by hawk.mail.pas.earthlink.net with smtp (Exim 3.33 #2)
        id 178Yit-0001qK-00
        for fhahn at yahoo.com; Thu, 16 May 2002 20:48:07 -0700
From: "tdre" <tdre at alsrn.o>
To: fhahn at yahoo.com
Subject: So cool a flash,enjoy it
MIME-Version: 1.0
Content-Type:
multipart/mixed;Boundary="arbitrary_string_WheeeThu_May_16_23:25:20_2002"
Message-Id: <E178Yit-0001qK-00 at hawk.mail.pas.earthlink.net>
Date: Thu, 16 May 2002 20:48:07 -0700
Status: RO
Content-Length: 143428
Lines: 2545

This is a multi-part message in MIME format...

--arbitrary_string_WheeeThu_May_16_23:25:20_2002
Content-Type: text/html; name="file.html"
Content-Disposition: attachment; filename="file.html"
Content-Transfer-Encoding: binary
<HTML><HEAD></HEAD><BODY>
<DEFANGED_iframe src=cid:L1B31MD7Eg height=0 width=0>
</iframe>
<FONT></FONT></BODY></HTML>

--arbitrary_string_WheeeThu_May_16_23:25:20_2002
Content-Type: application/octet-stream; name="align.exe"
Content-Disposition: attachment; filename="align.exe"
Content-Transfer-Encoding: base64

TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt
IGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAAAYmX3gXPgT
s1z4E7Nc+BOzJ+Qfs1j4E7Pf5B2zT/gTs7TnGbNm+BOzPucAs1X4E7Nc+BKz
JfgTs7TnGLNO+BOz5P4Vs134E7NSaWNoXPgTswAAAAAAAAAAUEUAAEwBBAC4

------------------------------

In my poison file, I have "*.exe" and it was not quarantined.  I also
have "*.scr" and received an email a few days previous to this from
yahoo.com and it was not quarantined either.

This is what I have in my .procmailrc file:

#
# Settings for html-trap.procmail
# 
DROPPRIVS=YES
POISONED_EXECUTABLES=$MAILDIR/poisoned
SECURITY_NOTIFY="dfh"
SECURITY_NOTIFY_VERBOSE="dfh"
SECURITY_QUARANTINE=$MAILDIR/security
POISONED_SCORE=25
SCORE_HISTORY=$MAILDIR/macro-scanner-scores
# Finished setting up, now run the sanitizer...
INCLUDERC=$MAILDIR/html-trap.procmail
# Reset some things to avoid leaking info to
# the users...
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_QUARANTINE=

Thanks.

-- 
Frank Hahn

Every improvement in communication makes the bore more terrible.
		-- Frank Moore Colby

More information about the esd-l mailing list