[Esd-l] Attachment of application.pif was not stripped

Mike McCandless michael at prismbiz.com
Sat Aug 23 06:54:38 PDT 2003


I am running the email sanitizer, v1.138, on RH7.2, and most happy with the
results.  We take a rather aggressive approach to inbound attachments, and
strip most attachment types - nothing is quarantined.  One of the attachment
types we strip is .pif files.  However, this morning one of our users
reported that Norton had detected an attachment of application.pif and
Norton indicated it was the Sobig virus.  We quarantined it through Norton
and life is back to normal.

However, I'm confused about why the application.pif was not stripped by the
Sanitizer.  The user in question got plenty of other .pif attachments, which
were successfully stripped by the Sanitizer.  Any ideas?  Supporting config
information below.

Our procmailrc file says [snipped]:

STRIPPED_EXECUTABLES=/etc/procmail/stripped-specs
SECRET="secret-key-removed"
DISABLE_MACRO_CHECK=
SECURITY_STRIP_MSTNEF=YES
DEFANG_WEBBUGS=YES
SECURITY_NONOTIFY_LONGSUBJECT=YES
SECURITY_POISON_WINEXE=YES

MANGLE_EXTENSIONS="exe|com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|vb[se]?|hta|p[lm]|
sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|ms[ip]|reg|asd|cil|pps|as[xf]|wm[aszd
]|inf|js|nws|vb|mid|midi|mp3"

DROPPRIVS=yes
LOGFILE=$HOME/Procmail/log

INCLUDERC=/etc/procmail/html-trap.procmail

The contents of /etc/procmail/stripped-specs include *.pif

-----------------------------------------------------------------
Mike McCandless
michael at prismbiz.com



More information about the esd-l mailing list