[Debian-NP-Commits] r176 - in trunk/packages/debian-np: configs/np-mail-server/postfix/checks debian
micah
debian-np-devel@lists.alioth.debian.org
Fri, 16 Jul 2004 11:34:54 -0600
Author: micah-guest
Date: Fri Jul 16 11:34:53 2004
New Revision: 176
Modified:
trunk/packages/debian-np/configs/np-mail-server/postfix/checks/body_checks
trunk/packages/debian-np/configs/np-mail-server/postfix/checks/mime_header_checks
trunk/packages/debian-np/debian/changelog
Log:
. Updated body_checks to reject executable attachments better from
updated Jim Seymour's page
. Updated mime_header_checks to v10 list from Jim Seymour, includes
more advanced extention blocking, and also the addition of scripts
embedded in email that try to write .exe to install a proxy
. Changed the "*Any* zip file: just log a warning" to actually log
a warning, it was REJECT'ing
Modified: trunk/packages/debian-np/configs/np-mail-server/postfix/checks/body_checks
==============================================================================
--- trunk/packages/debian-np/configs/np-mail-server/postfix/checks/body_checks (original)
+++ trunk/packages/debian-np/configs/np-mail-server/postfix/checks/body_checks Fri Jul 16 11:34:53 2004
@@ -6,7 +6,8 @@
# reject all executable attachments
-/^TVqQAAMAAAAEAAAA\/\/8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ REJECT Executable attachments not accepted.
+/^TV[nopqr]....[AB]..A.A/i REJECT Email with EXE files attached denied
+/^M35[GHIJK].`..`..*````/i REJECT Email with EXE files attached denied
# reject all zip files which require a password
Modified: trunk/packages/debian-np/configs/np-mail-server/postfix/checks/mime_header_checks
==============================================================================
--- trunk/packages/debian-np/configs/np-mail-server/postfix/checks/mime_header_checks (original)
+++ trunk/packages/debian-np/configs/np-mail-server/postfix/checks/mime_header_checks Fri Jul 16 11:34:53 2004
@@ -38,10 +38,12 @@
# be found at http://jimsun.LinxNet.com/misc/postfix-anti-UCE.txt. Also,
# at the bottom of that URL, are references to additional Postfix anti-UCE
# resources.
-
#
# Generic M$ email-borne worm/trojan/virus protection
#
+# Note that this catches uuencoded executables in the email body, *not*
+# MIME attachments.
+#
# M$-Windoze vulnerable to all these as email-borne viruses/worms/trojans
# Added .ade, .adp, .bas, .cpl, .crt, .hlp, .inf, .ins, .isp, .lnk, .mdb,
# .mde, .msc, .msi, .msp, .mst, .pcd, .reg, .sct, .shs, .url, .vb, and .wsc
@@ -71,10 +73,12 @@
# .xl. (Ref: http://www.cknow.com/vtutor/vtextensions.htm)
# (.doc, .html?, .ppt, .prc, .rtf not added, but probably should be.)
# ("Source" [.asm, .c, .cpp., .pas, .for] seem unlikely to me)
+# v8.1 list: Put missing .com in!
# v9 list: added CLSIDs (e.g.: "name.{FBF23B40-E3F0-101B-8488-00AA003E56F8}")
# (Complements of Victor Duchovni and Noel Jones)
+# v10 list: added .cbl
#
-/^Content-(Disposition|Type):\s+.+?(?:file)?name="?.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cbt|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$2" file attachment types not allowed
+/^begin\s+\d+\s+.+?\.(386|ad[ept]|app|as[dpx]|ba[st]|bin|btm|cab|cb[lt]|cgi|chm|cil|cla(ss)?|cmd|cp[el]|crt|cs[chs]|cvp|dll|dot|drv|em(ai)?l|ex[_e]|fon|fxp|hlp|ht[ar]|in[fips]|isp|jar|jse?|keyreg|ksh|lib|lnk|md[abetw]|mht(m|ml)?|mp3|ms[ciopt]|nte|nws|obj|ocx|ops|ov.|pcd|pgm|pif|p[lm]|pot|pps|prg|reg|sc[rt]|sh[bs]?|slb|smm|sw[ft]|sys|url|vb[esx]?|vir|vmx|vxd|wm[dsz]|ws[cfh]|xl.|xms|\{[\da-f]{8}(?:-[\da-f]{4}){3}-[\da-f]{12}\})\b/ REJECT ".$1" filetype not allowed
# ".com" handled differently as above lines would catch attachments like
# "user@example.com PGP Keys.txt"
@@ -97,7 +101,19 @@
/^Content-(Disposition|Type):\s+.*?(file)?name="?.*?(your_details|application|document|screensaver|movie)\.zip/ REJECT
# *Any* zip file: just log a warning...
-/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ REJECT
+/^Content-(Disposition|Type):\s+.+?(file)?name="?.+?\.zip\b/ WARN .zip file attached
/^Content-Type.*application.x-msdownload;/ REJECT
+
+#
+# Possibly script embedded in email that attempts to write a .exe that'll
+# install a proxy on victim's 'doze PeeCee
+# (ref: Message-ID: <40adf117$0$17764$cc9e4d1f@news.dial.pipex.com> in
+# news.admin.net-abuse.email)
+#
+/<\s*(object\s+data)\s*=/ REJECT Email with "$1" tags not allowed
+/<\s*(script\s+language\s*="vbs")/ REJECT Email with "$1" tags not allowed
+/<\s*(script\s+language\s*="VBScript\.Encode")/ REJECT Email with "$1" tags not allowed
+
+
Modified: trunk/packages/debian-np/debian/changelog
==============================================================================
--- trunk/packages/debian-np/debian/changelog (original)
+++ trunk/packages/debian-np/debian/changelog Fri Jul 16 11:34:53 2004
@@ -4,30 +4,40 @@
* Micah Anderson
- np-mail-server:
- . Moved "check_helo_access hash:$checks_dir/helo_checks" from the
- smtpd_helo_restrictions block to the smtpd_sender_restrictions block
- because a client has to EHLO before it can SASL authenticate,
- so SASL SMTP AUTH'd clients who should be allowed to HELO as
- the host would get the "Helo command rejected: You are not in domain
- <domain.name>" error. Also moved the
- permit_sasl_authenticated higher up in the smtpd_sender_restrictions
+ . Updated body_checks to reject executable attachments better from
+ updated Jim Seymour's page
+
+ . Updated mime_header_checks to v10 list from Jim Seymour, includes
+ more advanced extention blocking, and also the addition of scripts
+ embedded in email that try to write .exe to install a proxy
+
+ . Changed the "*Any* zip file: just log a warning" to actually log
+ a warning, it was REJECT'ing
+
+ . Moved "check_helo_access hash:$checks_dir/helo_checks" from the
+ smtpd_helo_restrictions block to the smtpd_sender_restrictions block
+ because a client has to EHLO before it can SASL authenticate,
+ so SASL SMTP AUTH'd clients who should be allowed to HELO as
+ the host would get the "Helo command rejected: You are not in domain
+ <domain.name>" error. Also moved the
+ permit_sasl_authenticated higher up in the smtpd_sender_restrictions
- . Added permit_mynetworks to the smtpd_helo_restrictions so machines
- that are allowed to relay are accepted right away
+ . Added permit_mynetworks to the smtpd_helo_restrictions so machines
+ that are allowed to relay are accepted right away
- . Moved reject_non_fqdn_sender as well as the
- reject_unknown_sender_domain into the sender_restrictions
- instead of being in the recipient_restrictions.
+ . Moved reject_non_fqdn_sender as well as the
+ reject_unknown_sender_domain into the sender_restrictions
+ instead of being in the recipient_restrictions.
- . Added smtpd_data_restrictions and moved
- reject_unauth_pipelining into that check, as
- http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes:
- "For Postfix 2.x versions, reject_unauth_pipelining should always be
- placed in smtpd_data_restrictions, even if it's the only one you put
- there." - See FAQ Q16/A16.
+ . Added smtpd_data_restrictions and moved
+ reject_unauth_pipelining into that check, as
+ http://jimsun.linxnet.com/misc/postfix-anti-UCE.txt notes:
+ "For Postfix 2.x versions, reject_unauth_pipelining should always be
+ placed in smtpd_data_restrictions, even if it's the only one you put
+ there." - See FAQ Q16/A16.
- . Added smtpd_banner to postfix configuration to hide the OS of the
- system.
+ . Added smtpd_banner to postfix configuration to hide the OS of the
+ system.
* Marco Presi (Zufus)
- Initial code in DebConf4