RE: [Mimedefang] Amusing coincidence
Fred,
The action_quarantine message was put into the email when
the attachment was stripped out. However, the attachment did not
actually end up in the quarantine directory!
===
sub filter_multipart () {
my($entity, $fname, $ext, $type) = @_;
return if message_rejected(); # Avoid unnecessary work
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator(A MULTIPART attachment of type
$type, named $fname was dropped.\n);
return action_quarantine($entity,An attachment of type $type,
named $fname was removed from this document as
it\nconstituted a network
security hazard. If you require this document, \nplease contact the
sender and arrange an alternate means of receiving it.\n);
}
...
return action_accept();
}
===
Your filter uses return action_quarantine(), which isn't right - you need
to accept, bounce or discard the message instead, e.g.:
if (filter_bad_filename($entity)) {
md_graphdefang_log('bad_filename', $fname, $type);
action_notify_administrator(A MULTIPART attachment of type $type,
name
d $fname was dropped.\n);
action_quarantine_entire_message(An attachment of type $type, named
$f
name was removed from this document as it\nconstituted a security hazard. If
y
ou require this document, please contact\nIT Support to arrange for it to be
re
leased.\n);
return action_discard();
}
2) Will changing the conditional
to
if (filter_bad_filename($entity) and ($type ne message/rfc822))
prevent a similar event from recurring?
Probably.
Paul.
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.385 / Virus Database: 268.4.1/311 - Release Date: 13/04/2006
___
NOTE: If there is a disclaimer or other legal boilerplate in the above
message, it is NULL AND VOID. You may ignore it.
Visit http://www.mimedefang.org and http://www.roaringpenguin.com
MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com
http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
[Mimedefang] Image validator/OCR SA plugin
Hi all, This is just a little advertisement for my plugin which is now in a usable state and works very well. Anyone interested should keep an eye on it - it really helps with the image only spam we get today. But problably the spammers will soon change their tricks to different images which are more difficult to read :-( http://antispam.imp.ch/patches/patch-ocrtext Martin Martin Blapp, [EMAIL PROTECTED] [EMAIL PROTECTED] -- ImproWare AG, UNIXSP ISP, Zurlindenstrasse 29, 4133 Pratteln, CH Phone: +41 61 826 93 00 Fax: +41 61 826 93 01 PGP: finger -l [EMAIL PROTECTED] PGP Fingerprint: B434 53FC C87C FE7B 0A18 B84C 8686 EF22 D300 551E -- ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Mimedefang sometime doesn't timeout Mail::SpamAssassin::Timeout parts in SA plugins
Hi, I suspect SA itself has the same problem but since I did only some tests the problem never happened to me. This Plugin works in Spamassassin, but in mimedefang sometimes some of the timeouts get ignored. Does it work if you disable the embedded Perl feature? The same problems. Timeouts in SpamAssassin are (to the best of my recollection) implemented with SIGALRM, which by itself is evidence of scariness, but I don't think MIMEDefang should affect SA. I'm not sure if this is true on FreeBSD, but maybe try implementing your 100-second wait with something like this: select(undef, undef, undef, 100); Yes the example was a bad one since I'm working in my plugin completly with pipes so I should have made one with pipes too. I've changed SIGTERM now to be SIGKILL, let's see it that helps. Martin ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
RE: [Mimedefang] Image validator/OCR SA plugin
Martin Blapp wrote: http://antispam.imp.ch/patches/patch-ocrtext That is unbelievably sweet. I remember a couple of years ago there was a virus that sent itself in a password-protected .zip file, with an image containing the password. OCR would have been useful... I could easily see MIMEDefang reading the password from the image and feeding it to the virus scanner. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
On Fri, 2006-04-14 at 18:42 +0200, Martin Blapp wrote: Anyone interested should keep an eye on it - it really helps with the image only spam we get today. But problably the spammers will soon change their tricks to different images which are more difficult to read :-( Interesting... What's the performance like with this? How many messages do you scan per day with it? Richard ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
On Apr 14, 2006, at 9:42 AM, Martin Blapp wrote: Anyone interested should keep an eye on it - it really helps with the image only spam we get today. But problably the spammers will soon change their tricks to different images which are more difficult to read :-( I can see it now ... pretty soon, we'll be seeing spam in capcha form. ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
Interesting... What's the performance like with this? How many messages do you scan per day with it? It is rather fast. On a Pentium IV 3Ghz I can scan a average jpg/gif picture in 0,2 - 0,3 seconds. I've limited the scantime to 5 seconds per image, and I allow only three images to be scanned per mail. Of course this is user configurable. The greps here are just up to now, not a full day. grep hits= /var/log/maillog | wc -l 78050 grep X-Spam-Status: Yes /var/log/maillog | wc -l 48400 grep hits=.*SPAMPIC /var/log/maillog | wc -l 9572 grep X-Spam-Status: Yes.*hits=.*SPAMPIC /var/log/maillog | wc -l 9558 grep X-Spam-Status: Yes.*hits=.*SPAMPIC /var/log/maillog | grep HTML_IMAGE_ONLY | wc -l 9528 # grep HTML_IMAGE_ONLY /var/log/maillog | wc -l 35834 This means 60% of all mails we get are SPAM. More than 10% of the SPAM are some gif and jpg pictures advertizing for stocks and meds. But almost 45% of all mails match HTML_IMAGE_ONLY, so it's unusable at all. I even use lower scores for those rules now - which gives me less FPS: score HTML_IMAGE_ONLY_041.400 score HTML_IMAGE_ONLY_081.300 score HTML_IMAGE_ONLY_121.200 score HTML_IMAGE_ONLY_161.100 score HTML_IMAGE_ONLY_200.950 score HTML_IMAGE_ONLY_240.900 score HTML_IMAGE_ONLY_280.700 score HTML_IMAGE_ONLY_320.400 Martin ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
Re: [Mimedefang] Image validator/OCR SA plugin
# grep HTML_IMAGE_ONLY /var/log/maillog | wc -l 35834 This is wrong. It should have been # grep HTML_IMAGE_ONLY.*hits= /var/log/maillog | wc -l 17917 But almost 45% of all mails match HTML_IMAGE_ONLY, so it's unusable at all. I even use lower scores for those rules now - which gives me less FPS: 22% is still a lot ... Martin ___ NOTE: If there is a disclaimer or other legal boilerplate in the above message, it is NULL AND VOID. You may ignore it. Visit http://www.mimedefang.org and http://www.roaringpenguin.com MIMEDefang mailing list MIMEDefang@lists.roaringpenguin.com http://lists.roaringpenguin.com/mailman/listinfo/mimedefang
