Hi,
I hope I hit the right list with my request. I'm trying to set up a filter for postfix to filter malicious stuff like all windows executables. For MIME encoded headers I had no problem, this works fine. But if the header is uuencode, the attachment is only visible in the e-mail's body. I tried a regexp like /.*\.(bat|exe|cmd|vbs|vba)/ REJECT in /etc/postfix/body_checks which should filter all *.bat|and so on. But nothing at all happens. Mails go thru as if there wasn't an obstacle.
try that one: /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT
copy-pasted it, tried it, failed. Since all suggestions I received during the last 24 hours work in various postfix systems (mine excluded), I guess there's something else wrong. This is my testmail (UUENCODE):
From testuser@belfin.ch Fri Oct 5 12:37:56 2001 X-UIDL: XLN"!D7/"!_e\!!P]I!! Return-Path: <testuser@belfin.ch> Delivered-To: testuser@belfin.reinach Received: from client01 (unknown [10.0.0.182]) by mx.belfin.reinach (Postfix) with SMTP id B8F5B9FE32 for <testuser@belfin.reinach>; Fri, 5 Oct 2001 12:37:55 +0200 (CEST) From: "testuser" <testuser@belfin.ch> To: <testuser@belfin.reinach> Subject: WG: test Date: Fri, 5 Oct 2001 12:14:06 +0200 Message-ID: <000001c14d86$779d52c0$b600000a@belfin.reinach> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Status: U
-----Ursprungliche Nachricht----- Von: testuser [mailto:testuser@belfin.ch] Gesendet: Freitag, 5. Oktober 2001 12:12 An: testuser@belfin.reinach Betreff: test
begin 666 AUTOEXEC.BAT ` end This is my bodychecks (1 active rule): /^(.*)name\=\"(.*)\.(com|pif|vbs|vbe|exe|bat|cmd)\"$/ REJECT #/name=\"(.*)\.(shm|hta|pif|com|vbs|vbe|js|jse|bat|cmd|vxd|scr|exe)\"$/ REJECT #/(filename|name)=".*\.(asd|chm|dll|hlp|hta|js|ocx|pif)"/ REJECT #/(filename|name)=".*\.(scr|shb|shs|vb|vbe|vbs|wsf|wsh)"/ REJECT #/(filename|name)="(Happy99|Navidad|prettypark)\.exe"/ REJECT #/(filename|name)="(pretty park|zipped_files|flcss)\.exe"/ REJECT #/(filename|name)="(Msinit|wininit|msi216)\.exe"/ REJECT #/(filename|name)="(Avp_updates|Qi_test|Anti_cih)\.exe"/ REJECT #/(filename|name)="(Emanuel|kmbfejkm|NakedWife)\.exe"/ REJECT #/(filename|name)="(Seicho_no_ie|JAMGCJJA|Sulfnbk)\.exe"/ REJECT #/filename=\".*\.(doc|xls)\.pif\"/ REJECT #/filename=\".*\.bat"/ REJECT Proof that postfix reads the /etc/postfix/bodychecks (provocated error): Oct 5 12:36:11 mx postfix/cleanup[9427]: warning: /etc/postfix/bodychecks, line 13: no closing regexp delimiter: 3 What's wrong with it? Philipp
add more if you want...
-- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com