Re: Someone missed a virus..

> -----Original Message-----
> From: amavis-user-bounceslists.sourceforge.net 
> [mailto:amavis-user-bounceslists.sourceforge.net] On
Behalf 
> Of Mark Martinec
> Sent: Saturday, June 16, 2007 9:17 AM
> To: amavis-userlists.sourceforge.net
> Subject: Re: [AMaViS-user] Someone missed a virus..
> 
> 
> Michael,
> 
> > Guess we have a path problem:
> > -r-xr-xr-x  1 root  wheel  11232 Jun  1 07:36
/usr/local/bin/file 
> > -r-xr-xr-x  1 root  wheel  10300 Nov  8  2006
/usr/bin/file
> >
> > But, amavisd-new will use /usr/local/bin/file
first?
> > Jun 16 07:34:44 fl amavis[15952]: Found $file at
/usr/local/bin/file
> 
> Yes, intentionally. Often the one installed by user is

> fresher that the one bundled with a system. But this is
under 
> user's control, the default $path variable in amavisd
is 
> empty, it is always explicitly assigned to in
amavisd.conf, e.g.
> 
>   $path = 
>
'/usr/local/sbin:/usr/local/bin:/usr/sbin:/sbin:/usr/bin:/bi
n';
> 
> > So, we patch amavisd or file?
> 
> If file(1) gives wrong result, it needs to be fixed or

> replaced. I doubt there is anything in amavisd in this
regard.

Noel 'hacked' amavisd and got it to work (well,
workaround).

Not that I SUGGEST this, would this hurt anything?
Just adding a [qr/^Microsoft Installerb/i  => 'doc'],
line under
office?

Quick edit to /usr/local/sbin/amavisd...
--- amavisd.2.5.1       Fri Jun 15 18:02:10 2007
+++ amavisd     Fri Jun 15 18:07:31 2007
 -983,4
+983,5 
      [qr/^Rich Text Format datab/       => 'rtf'],
      [qr/^Microsoft Office Documentb/i  => 'doc'],  #
OLE2: doc, ppt,
xls, ...
+    [qr/^Microsoft Installerb/i  => 'doc'],  # OLE2:
doc, ppt, xls, 
+ ...
      [qr/^ms-windows meta(file|font)b/i => 'wmf'],
      [qr/^LaTeXb.*bdocument textb/    => 'lat'],

And now it blocks it...
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p003 1
Content-Type: 
multipart/mixed
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p001 1/1 
Content-Type: text/plain, size: 14 B, name:
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p002 1/2 
Content-Type: application/msword, size: 216576 B, name: 
test_document_with_EXE.doc
Jun 15 18:00:40 mgate2 amavis[14259]: (14259-01) p.path
BANNED:1 
njonesmgate2.vbhcs.org: "P=p003,L=1,M=multipart/mixed
| 
P=p002,L=1/2,M=application/msword,T=doc,N=test_document_with
_EXE.doc 
|
P=p005,L=1/2/2,T=exe,T=exe-ms,N=HyperTracerouteInstall.exe&q
uot;,
matching_key="(?-xism:^\.(exe-ms|dll)$)"


-- 
Noel Jones 
____________________________________________________________
_____________
This email has been scanned and certified safe by
SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

____________________________________________________________
_____________

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 09:34 AM 6/16/2007, Michael Scheidell wrote:
> >
> > > So, we patch amavisd or file?
> >
> > If file(1) gives wrong result, it needs to be
fixed or
> > replaced. I doubt there is anything in amavisd in
this regard.
>
>Noel 'hacked' amavisd and got it to work (well,
workaround).
>
>Not that I SUGGEST this, would this hurt anything?
>Just adding a [qr/^Microsoft Installerb/i  =>
'doc'], line under
>office?

I doubt that adding that line to amavisd will break
anything; the 
file type "Microsoft Installer" isn't used
otherwise.  Note that 
amavisd must recognize the file(1) type to call the proper
decoder - 
the file name extension is intentionally ignored.

That said, it's certainly more appropriate to fix file(1)
rather than 
adding a workaround to amavisd.

To patch file(1), comment out the "Microsoft
Installer" line in the 
magic file, then run "file -m magic -C" in the
same directory where 
the magic file lives.
("file -v" shows the path to the magic file)

Or just wait for a updated version of file(1).

-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> At 09:34 AM 6/16/2007, Michael Scheidell wrote:
> > >
> > > > So, we patch amavisd or file?
> > >
> > > If file(1) gives wrong result, it needs to be
fixed or 
> replaced. I 
> > > doubt there is anything in amavisd in this
regard.
> >
> >Noel 'hacked' amavisd and got it to work (well,
workaround).
> >
> >Not that I SUGGEST this, would this hurt anything?
> >Just adding a [qr/^Microsoft Installerb/i  =>
'doc'], line under 
> >office?
> 
> I doubt that adding that line to amavisd will break
anything; 
> the file type "Microsoft Installer" isn't
used otherwise.  
> Note that amavisd must recognize the file(1) type to
call the 
> proper decoder - the file name extension is
intentionally ignored.
> 
> That said, it's certainly more appropriate to fix
file(1) 
> rather than adding a workaround to amavisd.
> 
> To patch file(1), comment out the "Microsoft
Installer" line 
> in the magic file, then run "file -m magic
-C" in the same 
> directory where the magic file lives.
> ("file -v" shows the path to the magic file)
> 
> Or just wait for a updated version of file(1).
> 
> --
> Noel Jones 


Christos has applied the fix, so it should be available in
the next release.

Noel: I get a curious bounce from your system:

  Sender address rejected: spam support services
      bogus_ns.pcre (in reply to DATA command)

I'm curious how your system is classifing a bogus namesever?
[oflist reply,
if you care to]

Mike




------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

> >Noel 'hacked' amavisd and got it to work (well,
workaround).
> >Not that I SUGGEST this, would this hurt anything?
> >Just adding a [qr/^Microsoft Installerb/i  =>
'doc'], line under
> >office?
>
> I doubt that adding that line to amavisd will break
anything; the
> file type "Microsoft Installer" isn't used
otherwise.  Note that
> amavisd must recognize the file(1) type to call the
proper decoder -
> the file name extension is intentionally ignored.

It probably wouldn't hurt anyone to add mapping
of 'Microsoft Installer' to 'doc'.

  Mark

------------------------------------------------------------
-------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and
take
control of your XML. No limits. Just data. Click to get it
now.
http://sourcefor
ge.net/powerbar/db2/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/