Re: prohibited attachment embedded in MS documents

Kenneth Oncinian wrote:
> Hi List,
> 
> We prohibit certain type of files as attachments or as
archived in any
> format, for example, executable files.
> However, as user notice this due to bounce messages,
they are now embedding
> executables to MS office documents
> and thus bypassing the file type prohibit rule.
> Is there a way for amavisd-new to detect and reject
these kind of
> attachments as well?
> 
> best regards,
> Kenneth

The file utility shows these files as ordinary Microsoft
Office 
Documents.  However, they have an Package Embed section
within them, 
which is not identified by file.

I started looking at the format of the .doc file with the
embed, but 
haven't come up with a definitive pattern yet to allow file
to match, so 
that a reject rule can be created for amavis.

If I have more time later, I'll take a take another look
with fresher 
eyes.  Perhaps someone will come up with the magic pattern
by then.

MrC

------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/

At 02:56 AM 8/16/2007, MrC wrote:
>Kenneth Oncinian wrote:
> > Hi List,
> >
> > We prohibit certain type of files as attachments
or as archived in any
> > format, for example, executable files.
> > However, as user notice this due to bounce
messages, they are now embedding
> > executables to MS office documents
> > and thus bypassing the file type prohibit rule.
> > Is there a way for amavisd-new to detect and
reject these kind of
> > attachments as well?
> >
> > best regards,
> > Kenneth
>
>The file utility shows these files as ordinary Microsoft
Office
>Documents.  However, they have an Package Embed section
within them,
>which is not identified by file.
>
>I started looking at the format of the .doc file with
the embed, but
>haven't come up with a definitive pattern yet to allow
file to match, so
>that a reject rule can be created for amavis.

If you install the "ripole" program then
amavisd-new can unpack 
Office documents to check for embedded executables through
the 
regular banned files mechanism.
Note however that the ripole tool is not perfect and may not
be able 
to open all documents.

To enable the ripole tool, your amavisd.conf file must have
it listed 
in the decoders section (it's included in the default):

decoders = (
...
   ['doc',  &do_ole,       
['ripole','/usr/local/bin/ripole'] ],
...
  );

The other requirement is the "file" utility must
correctly recognize 
office documents.

The ripole tool is available here:
http://www.pldaniels
.com/ripole/
or your system may have a packaged port/rpm/deb available.


-- 
Noel Jones 


------------------------------------------------------------
-------------
This SF.net email is sponsored by: Splunk Inc.
Still grepping through log files to find problems?  Stop.
Now Search log events and configuration files using AJAX and
a browser.
Download your FREE copy of Splunk now >>  http://get.splunk.com/
_______________________________________________
AMaViS-user mailing list
AMaViS-userlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amavis-user

AMaViS-FAQ:http://www.amav
is.org/amavis-faq.php3
AMaViS-HowTos:http://www.amavis.org/ho
wto/