On Thu, Jul 29, 2004 at 10:16:08AM +0200, Margrit Lottmann said:
> On Wed, 28 Jul 2004, Wakko Warner wrote:
>
> > > Some emails cannot be scanned because of errors
> >
> > Look at the attachment. That is before you base64 decode it. There's
> > random length lines, spaces on the lines. The decoder I wrote only decodes
> > upto the first space and thus corrupted enough that the virus scanner can't
> > see it. I'm still glad I block based on extension.
> >
> Here is our acl-part to demime/virus scanning:
> ::::::::::::::::::::::::::::::::::::::::::::::
> warn message = X-Mime-Error: $demime_reason
> demime = *
> condition = ${if >{$demime_errorlevel}{2}{1}{0}}
>
> deny message = This site does not accept attachments of this type
> ($found_extension)
> demime = ade:adp:bas:bat:chm:cmd:com:cpl:exe:hlp:hta:\
> inf:ins:isp:js:jse:lnk:mdb:mde:msc:msi:msp:mst:pcd:pif:\
> reg:scr:sct:shs:shb:url:vb:vbe:vbs:wsc:wsf:wsh
>
> warn message = X-Malware-Error: $malware_name
> malware = *
You also want demime = * here - it'll unoack before sending to Sophie
that way.
> in mainlog:
> 2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
> length is not a multiple of 4 characters
> 2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
> contains illegal character
> 2004-07-28 18:38:55 1BprRv-00043s-4N demime acl condition: base64 line
> length exceeds 76 characters
> 2004-07-28 18:38:56 1BprRv-00043s-4N <= ...I can already see...that this
> is a virus message (manipulated addresses ... not from our net)
> ...
> 2004-07-28 18:38:56 1BprRv-00043s-4N Completed
>
> ...which $demime_errorlevel have such errors >>> not 2 or ??? <<<
$demime_errorlevel When an error was detected in a MIME
container, this variable contains the
"severity" of the error, as an integer
number. The higher the value, the
more severe the error. If this
variable is unset or zero, no error has
occured.
It's a severity, not a counter.
I think these are all Mydoom.{M,o}, depending on your A/V vendor. If
sophie is having trouble unpacking the zips, set up the demime condition
above. It should be able to unpack the zip files. If not, write a
simple script that does unpack the zip files, and use it a as a wrapper
around Sophie.
OTOH, if you're looking for simple things to block on, we've taken to
blocking email coming from outside our networks, but pretending to be
from a system account (e.g., mailer-daemon, postmaster)@ one of our
networks - that has gotten rid of as many as the A/V scans, it looks
like.
HTH,
--
--------------------------------------------------------------------------
| Stephen Gran | BOFH excuse #23: improperly oriented |
| steve@??? | keyboard |
| http://www.lobefin.net/~steve | |
--------------------------------------------------------------------------
