Re: [exim] New Stuff

Pàgina inicial
Delete this message
Reply to this message
Autor: David
Data:  
A: exim-users
Assumpte: Re: [exim] New Stuff
Hi !!

>> exim's content scanning creates a mbox .eml file, so there (theorically)
>> will be no problem (i will test it through
>> http://www.webmail.us/testvirus, anyone asking for a test suite?), in


my tests with the eicar file show that clamd correctly demimes by
itself the .eml file and detects the virus signature, but in my tests
decode = default does nothing, the atachment is not saved to the
scan spool area. will try to debug it deeply.

> well, test #24 and 25 (message/partial and CLSID trick, whatever that
> is), since they do not contain any virus, will pass through in a basic
> configuratio (exim 4.50) with a data acl:


thos on mime_acl will catch some of the tests:

# CLSID hidden extension

   deny   condition   = ${if match {$mime_filename}\
                         {\N\{[a-hA-H0-9-]{25,}\}\N}{yes}{no}}
          message     = Blacklisted extension (CLSID)


# Bounday Space Gap

   deny   condition   = ${if match{$mime_boundary}{^( |\t)}{yes}{no}}
          message     = Broken MIME container (Boundary Space Gap)


# Empty MIME Boundary Vulnerability

   deny   condition   = $mime_is_multipart
          condition   = ${if eq{$mime_boundary}{}{yes}{no}}
          message     = Broken MIME container (Empty MIME Boundary)


# Long MIME Boundary Vulnerability

   deny   condition   = ${if >{${strlen:$mime_boundary}}{70}{yes}{no}}
          message     = Broken MIME container (Long MIME Boundary)



--
Best regards ...

It's a fine line between fishing & standing still

----------------------------------------------------------------
    David Saez Padros                http://www.ols.es
    On-Line Services 2000 S.L.       e-mail  david@???
    Pintor Vayreda 1                 telf    +34 902 50 29 75
    08184 Palau-Solita i Plegamans   movil   +34 670 35 27 53
----------------------------------------------------------------