MS Security Virus Email bypasses Procmail Filter

lewt · 09-24-2003, 04:53 PM

We cant figure it out.. we filter any .exe's that come through and those attachments are still slipping past procmail.

Anyone having similar experiences?

unSpawn · 09-24-2003, 05:28 PM

We can't either w/o you posting your procmail recipe's, but if you "egrep mbox -ie "^content-type: (multi|audio)"" and compare it with your recipe's you prolly see why.

lewt · 09-24-2003, 05:45 PM

Sorry

Code:

VERBOSE=OFF
LOGFILE=/var/log/procmail.info
PATH="/usr/bin:$PATH:/usr/local/bin"
DROPPRIVS=NO

SHELL=/bin/sh



MANGLE_EXTENSIONS="exe|exe |com|cmd|bat|pif|sc[rt]|lnk|dll|ocx|do[ct]|xl[swt]|p[po]t|rtf|vb[se]?|hta|p[lm]|sh[bs]|hlp|chm|eml|ws[cfh]|ad[ep]|jse?|md[abe$
POISONED_EXECUTABLES=/etc/procmail/poisoned
SECURITY_NOTIFY="postmaster"

SECRET="xxxxxx"


SECURITY_QUARANTINE=/dev/null
POISONED_SCORE=25


SCORE_HISTORY=/var/log/macro-scanner-scores
# LOGFILE=/var/log/procmail.log


# Finished setting up, now run the sanitizer...
INCLUDERC=/etc/procmail/html-trap.procmail


# Reset some things to avoid leaking info to
# the users...
POISONED_EXECUTABLES=
SECURITY_NOTIFY=
SECURITY_NOTIFY_VERBOSE=
SECURITY_NOTIFY_SENDER=
SECURITY_QUARANTINE=
SECRET=

unSpawn · 09-24-2003, 06:32 PM

This does a whole lotta.. ah, nuttin :-]
It clearly references files in subdirs you did not include. If this is a regular package post the name and version. Besides verbose is off, so logging will be way less, and to troubleshoot you want to have as much loggable info as you can.