At 02:56 AM 8/16/2007, MrC wrote: >Kenneth Oncinian wrote: > > Hi List, > > > > We prohibit certain type of files as attachments or as archived in any > > format, for example, executable files. > > However, as user notice this due to bounce messages, they are now embedding > > executables to MS office documents > > and thus bypassing the file type prohibit rule. > > Is there a way for amavisd-new to detect and reject these kind of > > attachments as well? > > > > best regards, > > Kenneth > >The file utility shows these files as ordinary Microsoft Office >Documents. However, they have an Package Embed section within them, >which is not identified by file. > >I started looking at the format of the .doc file with the embed, but >haven't come up with a definitive pattern yet to allow file to match, so >that a reject rule can be created for amavis.
If you install the "ripole" program then amavisd-new can unpack Office documents to check for embedded executables through the regular banned files mechanism. Note however that the ripole tool is not perfect and may not be able to open all documents. To enable the ripole tool, your amavisd.conf file must have it listed in the @decoders section (it's included in the default): @decoders = ( ... ['doc', \&do_ole, ['ripole','/usr/local/bin/ripole'] ], ... ); The other requirement is the "file" utility must correctly recognize office documents. The ripole tool is available here: http://www.pldaniels.com/ripole/ or your system may have a packaged port/rpm/deb available. -- Noel Jones ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _______________________________________________ AMaViS-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/amavis-user AMaViS-FAQ:http://www.amavis.org/amavis-faq.php3 AMaViS-HowTos:http://www.amavis.org/howto/
