diff -r -u -N amavisd-snapshot-20011031/amavis/Makefile.in amavisd-snapshot-20011031.cc/amavis/Makefile.in --- amavisd-snapshot-20011031/amavis/Makefile.in Mon Nov 12 11:06:59 2001 +++ amavisd-snapshot-20011031.cc/amavis/Makefile.in Tue Dec 4 19:49:39 2001 @@ -147,7 +147,7 @@ noinst_SCRIPTS = checkaccount sbin_SCRIPTS = amavisd -sysconf_DATA = amavisd.conf +sysconf_DATA = amavisd.conf amavisd-blacklist.conf EXTRA_DIST = av mta notify @@ -455,7 +455,9 @@ # this may be over-cautious install-data-local: @chmod 600 $(DESTDIR)$(sysconfdir)/amavisd.conf + @chmod 600 $(DESTDIR)$(sysconfdir)/amavisd-blacklist.conf @chown $(amavisuser) $(DESTDIR)$(sysconfdir)/amavisd.conf + @chown $(amavisuser) $(DESTDIR)$(sysconfdir)/amavisd-blacklist.conf install-exec-hook: post-install $(srcdir)/checkaccount diff -r -u -N amavisd-snapshot-20011031/amavis/amavisd-blacklist.conf amavisd-snapshot-20011031.cc/amavis/amavisd-blacklist.conf --- amavisd-snapshot-20011031/amavis/amavisd-blacklist.conf Wed Dec 31 16:00:00 1969 +++ amavisd-snapshot-20011031.cc/amavis/amavisd-blacklist.conf Tue Dec 4 19:49:39 2001 @@ -0,0 +1,127 @@ +################################################################################ +# blacklist-files +# +# This file contains the blacklist filename matching patterns. +# The format of the file is one perl regular expression per line. +# Any line beginning with a # is a comment and will be ignored. +# +# For example, to match any file that ends in ".asd" or ".ASD", you +# would have the following perl regular expression on a line by itself: +# +# /\.asd$ +# +################################################################################ + +# +# File extensions that are just plain bad. +# +\.asd$ +\.chm$ +\.cil$ +\.dll$ +\.hlp$ +\.hta$ +\.js$ +\.lnk$ +\.nws$ +\.ocx$ +\.pif$ +\.reg$ +\.scr$ +\.sh[bs]$ +\.vb([se])?$ +\.ws[cfh]$ +\.([a-z]){2}([a-z0-9])?\s*\.([a-z0-9]){2,3}$ +\s+\.exe$ + +# +# File names (and variations thereof) that are known to be +# worms, viruses, or just plain Bad News(tm) for email attachments. +# +[0-9]+-i386-update\.exe +IBMls\.exe +amateurs\.exe +anal\.exe +anna\.exe +anniv\.doc +anti_cih\.exe +aol4free\.com +asian\.exe +atchim\.exe +avp_updates\.exe +babylonia\.exe +badass\.exe +black\.exe +blancheneige\.exe +blonde\.exe +boys\.exe +buhh\.exe +celebrity.rape\.exe +cheerleader\.exe +chocolate\.exe +compu_ma\.exe +creative\.exe +cum\.exe +cumshot\.exe +doggy\.exe +dwarf4you\.exe +emanuel\.exe +enanito.fisgon\.exe +enano\.exe +enano.porno\.exe +famous\.exe +fist-f.cking\.exe +gay\.exe +girls\.exe +happy[0-9]+\.exe +hardcore\.exe +horny\.exe +hot\.exe +hottest\.exe +i-watch-u\.exe +ie0199\.exe +jesus\.exe +joke\.exe +kinky\.exe +leather\.exe +lesbians\.exe +list\.doc +lovers\.exe +messy\.exe +oains\.exe +nakedwife\.exe +navidad\.exe +oral\.exe +orgy\.exe +path\.xls +photos17\.exe +picture\.exe +pleasure\.exe +pretty.park\.exe +prettypark\.exe +qi_test\.exe +raquel.darian\.exe +romeo\.exe +\..*romeo\.exe +sado\.exe +seicho_no_ie\.exe +serialz\.hlp +setup\.exe +sex\.exe +sexy\.exe +slut\.exe +sm\.exe +sodomized\.exe +story\.doc +suck\.exe +suppl\.doc +surprise!\.exe +suzete\.exe +teens\.exe +virgins\.exe +x-mas\.exe +xena\.exe +xuxa\.exe +y2kcount\.exe +yahoo\.exe +zipped_files\.exe diff -r -u -N amavisd-snapshot-20011031/amavis/amavisd.conf.in amavisd-snapshot-20011031.cc/amavis/amavisd.conf.in --- amavisd-snapshot-20011031/amavis/amavisd.conf.in Mon Nov 12 11:12:05 2001 +++ amavisd-snapshot-20011031.cc/amavis/amavisd.conf.in Tue Dec 4 19:49:39 2001 @@ -162,3 +162,22 @@ # Display AMaViS credits to users $credits = "no"; +#################################################### + +# +# Hacks. These are for features added that are not +# part of the "official" amavisd package (yet). +# Nothing after this point is guaranteed to work. +# + +# Do MIME Part blacklisting based on filename? +# Note that this is never going to be 100% accurate and you +# will likely make life very annoying for your users if you +# do this, but most of the filenames & extensions in the default +# blacklist configuration are ones that really should never be +# sent via email outside of a .zip or other type of archive +# file. (Okay, maybe only in my reality.) +$use_blacklist = "yes"; + +# Blacklist contents +$blacklist_config = "@config_dir@/amavisd-blacklist.conf"; diff -r -u -N amavisd-snapshot-20011031/amavis/amavisd.in amavisd-snapshot-20011031.cc/amavis/amavisd.in --- amavisd-snapshot-20011031/amavis/amavisd.in Mon Nov 12 11:12:16 2001 +++ amavisd-snapshot-20011031.cc/amavis/amavisd.in Tue Dec 4 19:49:39 2001 @@ -119,6 +119,11 @@ use vars qw ( $SENDER @RECIPS $LDA @LDAARGS ); use vars qw ( $sendmail_wrapper $sendmail_wrapper_args $mailfrom $mailto ); +# HACKALERT +# Blacklist stuff +use vars qw ( $use_blacklist $blacklist_config ); +my (@blacklist_patterns, $blacklisted_name, $blacklisted_pattern); + # Temporary directory # Moved this above MTA init section because milter init sets TEMPDIR my $TEMPBASE = "@runtime_dir@"; @@ -141,6 +146,10 @@ # misc internals use vars qw ( $MAXLEVELS $credits $fh ); +# Get my hostname; we do it here instead of in do_log because we'll need +# it later in the warn*() subroutines. +my $hostname = (uname)[1]; + # Magic number to detect DoS attacks my $threshold = 14; @@ -191,6 +200,14 @@ # rethink - handler should be simple sub read_config { do "$config_file" || die "Cannot read config file: $!"; + # Check to see if we're doing blacklisting; if we are, reload + # the blacklist from the file, and if we're not, dump the blacklist + # array to free up some resources. + if ($use_blacklist) { + blacklist_load(); + } else { + undef @blacklist_patterns; + } $SIG{HUP} = \&read_config; } $SIG{HUP} = \&read_config; @@ -383,11 +400,29 @@ # # If virus found +# This function will now be called if either a virus or a blacklisted file +# attachment is found. +# GKA - 2001-09-24 (updated 2001-11-28) +# sub do_virus(@) { # AV scanner output my $output = shift; - $viruslist = join("\n\t",@virusname); + + my ($prefix, $logmsg); + unless ($blacklisted_name) { + # we don't need to worry about leaving this empty, since + # $blacklisted_name is defined; all of our notify fragments + # are also hacked to base their output on it as well. + $viruslist = join("\n\t",@virusname); + $prefix = "v-"; + $logmsg = "Virus found"; + } else { + # if we found a blacklisted file instead of a virus, change + # the prefix and syslog message + $prefix = "b-"; + $logmsg = "Blacklisted file found"; + } # Quarantine the original email message? if ($TESTING ne "yes") { @@ -395,12 +430,12 @@ log_msg_id(1); if ($QUARANTINEDIR) { - $VIRUSFILE = "virus-" . strftime("%Y%m%d-%H%M%S", localtime) . "-" . "$$"; + $VIRUSFILE = $prefix . strftime("%Y%m%d-%H%M%S", localtime) . "-" . "$$"; move ("$TEMPDIR/email.txt", "$QUARANTINEDIR/$VIRUSFILE"); - do_log(0,"Virus found - quarantined as $VIRUSFILE"); + do_log(0,"$logmsg - quarantined as $VIRUSFILE"); } else { - do_log(0,"Virus found - not quarantined"); + do_log(0,"$logmsg - not quarantined"); } # Then we send email @@ -502,6 +537,15 @@ $entity = $parser->parse($fileh); $fileh->seek(0,0); + # See if we have any blacklisted files as mime attachments. + # If any of the "top level" mime parts are blacklisted, then + # we can skip straight to the reject. We don't bother with + # decomposing any of the attachments yet, as we won't be + # concerned with that unless none of the attachments are + # blacklisted. + + check_blacklist($fileh) if ($use_blacklist); + # Extract and decode each part to the extent possible for (my $i = 1; $i <= $MAXLEVELS; $i++) { @@ -1042,7 +1086,6 @@ # create syslog-alike my $datestamp = strftime("%b %e %H:%M:%S", localtime); - my $hostname = (uname)[1]; my $line = "$datestamp $hostname $myname\[$$\]: $errmsg\n"; if ($DEBUG eq "no") { @@ -1158,3 +1201,79 @@ # Safeguard - shouldn't get here do_exit(0, __LINE__); +# +# MIME part blacklisting subroutines +# + +sub blacklist_load () { + + if ( -r "$blacklist_config" ) { + open (BLACKLIST, "< $blacklist_config") || do_exit($REGERR, __LINE__); + while () { + chomp; + next if /^#/; # Reject comment lines + next if /^$/; # Reject empty lines + push @blacklist_patterns, qr /$_/i; + } + close (BLACKLIST); + } +} + +# +# Examine MIME-part filenames +sub check_blacklist (@) { + my($fileh) = shift; + my($current_entity,$part_name,$part_headers); + my($currentpart,$numparts); + my($pattern,$foundmatch); + + if (! defined($entity)) { + do_log(4,"Hey, I lost my MIME entity! No mail message???"); + do_log(4,"Killing myself because i've lost my entity."); + do_exit($REGERR, __LINE__); + } + + # How many parts are we dealing with? + $numparts = $entity->parts; + + # it only makes sense to examine for file attachments if there are + # file attachments to begin with. + $currentpart = 0; + while ($currentpart < $numparts && !$foundmatch) { + $current_entity = $entity->parts($currentpart); + $part_headers = $current_entity->head; + $part_name = $part_headers->recommended_filename; + + # Just because we have a part, doens't mean it has a filename; + # if it doesn't have a filename, we ignore it. + # THIS IS A BIG WIDE GAPING HOLE! It is possible to mime-encode + # and attach malicious content without being "proper" about + # it, and email clients would still decode and execute it. + # This should probably be backed up by a file(1)-based method + # of determining exactly what the mime part is; perhaps as + # another AV "module" that gets run before the real AV scanner. + unless ( $part_name eq "" ) { + $foundmatch = 0; + foreach (@blacklist_patterns) { + if ($part_name =~ $_) { + $foundmatch = 1; + $pattern = $_; + last; + } + } + } + + # move to the next part + $currentpart++; + } + + if ($foundmatch) { + $pattern =~ s/.*://; + $pattern =~ s/\)//; + $blacklisted_pattern = $pattern; + $blacklisted_name = $part_name; + do_virus("Found blacklisted file $blacklisted_name.\n"); + #do_blacklist($fileh); + } + +} diff -r -u -N amavisd-snapshot-20011031/amavis/mta/sendmail_args amavisd-snapshot-20011031.cc/amavis/mta/sendmail_args --- amavisd-snapshot-20011031/amavis/mta/sendmail_args Thu Mar 1 10:39:21 2001 +++ amavisd-snapshot-20011031.cc/amavis/mta/sendmail_args Tue Dec 4 19:49:39 2001 @@ -1,12 +1,12 @@ -# command line parsing, sendmail version + # command line parsing, sendmail version -if ($enable_relay eq "yes") { - # relay config + if ($enable_relay eq "yes") { + # relay config - $LDA = $sendmail_wrapper; - push(@LDAARGS, "-C$sendmail_cf_orig"); - push(@LDAARGS, "-f<$SENDER>"); - push(@LDAARGS, "@RECIPS"); -} + $LDA = $sendmail_wrapper; + push(@LDAARGS, "-C$sendmail_cf_orig"); + push(@LDAARGS, "-f<$SENDER>"); + push(@LDAARGS, "@RECIPS"); + } -# End sendmail cmd line parsing + # End sendmail cmd line parsing diff -r -u -N amavisd-snapshot-20011031/amavis/notify/admin amavisd-snapshot-20011031.cc/amavis/notify/admin --- amavisd-snapshot-20011031/amavis/notify/admin Tue Dec 4 19:49:20 2001 +++ amavisd-snapshot-20011031.cc/amavis/notify/admin Tue Dec 4 19:50:04 2001 @@ -2,17 +2,45 @@ print MAIL <<"EOF"; From: $mailfrom To: $mailto -Subject: FOUND VIRUS IN MAIL from $SENDER +EOF + unless ($blacklisted_name) { + print MAIL <<"EOF"; +Subject: VIRUS FOUND IN MAIL from $SENDER A virus was found in an email from: $SENDER -The message was addressed to: +The virus scanner found the following virus(es): + +\t$viruslist + +The message was addressed to: EOF + } else { + print MAIL <<"EOF"; +Subject: POSSIBLE VIRUS CONTENT IN MAIL from $SENDER + +A possible virus payload was found in an email from: + +\t$SENDER + +The message contained the following file, which has been "blacklisted" +in this mail server's configuration: + +\t$blacklisted_name + +This file name matched the following pattern in the blacklist: + +\t$blacklisted_pattern + +The message was addressed to: + +EOF + } foreach (@RECIPS) { - print MAIL "-> $_\n"; + print MAIL "\t$_\n"; } if ($QUARANTINEDIR) { @@ -20,21 +48,26 @@ The message has been quarantined as: -$QUARANTINEDIR/$VIRUSFILE +$hostname:$QUARANTINEDIR/$VIRUSFILE + EOF } - print MAIL <<"EOF"; - -Here is the output of the scanner: + unless ($blacklisted_name) { + print MAIL <<"EOF"; +==================================================================== +Following is the output of the virus scanner: $output -Here are the headers: +EOF + } + print MAIL <<"EOF"; +==================================================================== +For your reference, here are the headers from the email: ------------------------- BEGIN HEADERS ----------------------------- EOF $entity->print_header(\*MAIL); print MAIL <<"EOF"; -------------------------- END HEADERS ------------------------------ - EOF diff -r -u -N amavisd-snapshot-20011031/amavis/notify/recip amavisd-snapshot-20011031.cc/amavis/notify/recip --- amavisd-snapshot-20011031/amavis/notify/recip Tue Dec 4 19:49:20 2001 +++ amavisd-snapshot-20011031.cc/amavis/notify/recip Tue Dec 4 19:49:39 2001 @@ -1,33 +1,70 @@ - my $amavis_url = &amavisCredits(); - $SENDER = "(empty address)" if ($SENDER eq "<>"); - print MAIL <<"EOF"; + my $amavis_url = &amavisCredits(); + $SENDER = "(empty address)" if ($SENDER eq "<>"); + print MAIL <<"EOF"; From: $mailfrom To: $_ +EOF + unless ($blacklisted_name) { + print MAIL <<"EOF"; Subject: VIRUS IN MAIL FOR YOU FROM $SENDER V I R U S A L E R T -Our viruschecker found the +An email sent to you by: + +\t$SENDER + +was found to contain the following virus(es): \t$viruslist -virus(es) in an email to you from: +Delivery of the email was stopped! + +You may wish to notify the sender of this message that their computer +may be infected, so that they may take proper measures to "clean" it. + +Please contact your systems administrator for more information. + +EOF + } else { + print MAIL <<"EOF"; +Subject: POSSIBLE VIRUS SENT TO YOU FROM $SENDER + + P O S S I B L E V I R U S A L E R T + +An email message sent to you from: + +\t$SENDER -$SENDER +was found to contain file attachments which are commonly used to +transmit or contain computer viruses and/or email worms. Delivery of the email was stopped! -Please contact your system administrator for details. +The name of the file attachment which triggered the virus checker is: + +\t$blacklisted_name + +If this file was being legitimately sent, please instruct the sender to +first compress or package the file in a well-known archive format, such +as .ZIP, .tar or .tar.gz. + +Please contact your systems administrator for more information. EOF - if ($QUARANTINEDIR) { - print MAIL <<"EOF"; + } + if ($QUARANTINEDIR) { + print MAIL <<"EOF"; +NOTE: The original email message has been quarantined. When contacting +your systems administrator, please be sure to include either this +message or just the quarntine ID shown below. + The ID of your quarantined message is: $VIRUSFILE EOF - } - print MAIL <<"EOF"; + } + print MAIL <<"EOF"; $amavis_url EOF diff -r -u -N amavisd-snapshot-20011031/amavis/notify/sender amavisd-snapshot-20011031.cc/amavis/notify/sender --- amavisd-snapshot-20011031/amavis/notify/sender Tue Aug 7 08:22:18 2001 +++ amavisd-snapshot-20011031.cc/amavis/notify/sender Tue Dec 4 19:49:39 2001 @@ -2,28 +2,80 @@ print MAIL <<"EOF"; From: $mailfrom To: $SENDER +EOF + unless ($blacklisted_name) { + print MAIL <<"EOF"; Subject: VIRUS IN YOUR MAIL V I R U S A L E R T -Our viruschecker found the +An email which was sent by you ($SENDER) +to the following email recipient(s): -\t$viruslist +EOF + } else { + print MAIL <<"EOF"; +Subject: POSSIBLE VIRUS CONTENT IN MAIL YOU SENT! + + P O S S I B L E V I R U S A L E R T -virus(es) in your email to the following recipient(s): +An email which was sent by you ($SENDER) +to the following email recipient(s): EOF + } foreach (@RECIPS) { - print MAIL "-> $_\n"; + print MAIL "\t$_\n"; + } + unless ($blacklisted_name) { + print MAIL <<"EOF"; + +was found to contain the following virus(es): + +\t$viruslist + +Delivery of this email was stopped! + +It is highly recommended that you (or your systems administrator) check +your computer for viruses as soon as possible. + +EOF + } else { + print MAIL <<"EOF"; + +was found to contain file attachments which are commonly used to +transmit or contain computer viruses and/or email worms. + +Delivery of this email was stopped! + +The name of the file attachment which triggered this alert is: + +\t$blacklisted_name + +If this file was a legitimate file transfer agreed upon by both your +intended recipient(s) and yourself, please first place the file in a +commonly used archive format, such as .ZIP, .tar or .tar.gz. + +EOF + } + if ($QUARANTINEDIR) { + print MAIL <<"EOF"; +NOTE: The original email message has been quarantined. When contacting +your systems administrator, please be sure to include either this +message or just the quarntine ID shown below. + +The ID of your quarantined message is: + +$VIRUSFILE + +EOF } print MAIL <<"EOF"; -Delivery of the email was stopped! +Please contact your systems administrator for more information. -Please check your system for viruses, or ask your system administrator -to do so. -$amavis_url -For your reference, here are the headers from your email: +==================================================================== +For your reference, here are the headers from the email: ------------------------- BEGIN HEADERS ----------------------------- EOF @@ -31,4 +83,5 @@ print MAIL <<"EOF"; -------------------------- END HEADERS ------------------------------ +$amavis_url EOF