[Mailman-Users] detecting certain file types in attachments

Andy Rowan rowan at crssa.rutgers.edu
Wed Jun 2 00:09:59 CEST 2004 

Hi group,

I am running mailman 2.1.2 and sendmail.  I've got amavisd plugged in as a 
milter in sendmail, so everything passing through the server is scanned for 
viruses.  My concern is that with the proliferation of variants that often 
hit us pretty hard in the few days it can take for the antivirus software 
to get updated, I want to block certain types of files from coming through 
as attachments.  But I want to allow other types.  For the ordinary mail 
being delivered to our users, we do that with a set of procmail rules.  I'd 
like to be able to do the same kind of filtering on mailman messages.

I am operating under the assumption that the content-type field isn't to be 
trusted, since the virus writer could make a bogus one of those.  My 
experiments indicate that one can fake that field to look like something 
benign, even putting a benign file name there, and if the 
content-disposition field has a different file name with a different 
extension, Eudora at least will favor the content-disposition field.  So if 
content-type says it's a pdf and has a filename ending in pdf, but 
content-disposition says the filename ends in .zip, Eudora will launch 
winzip.  I assume .exe  and .scr and so forth would work the same, but I 
haven't tested that explicitly.

So what I want to be able to do is filter based on the content-disposition 
field.  This is trivially easy to do in procmail, but in the normal mailman 
sequence, messages never see procmail.  So, can I (a) recreate this 
capability in mailman, or (b) cause mailman to invoke procmail 
somehow?  The content filtering option on the web interface seems to look 
at content-type, not content-disposition.

I'm hoping to find a way to do it one of those two ways rather than having 
to add a whole other package like mimedefang into the mix, just to keep 
things simpler.

The relevant parts of the procmail expressions look like this:

filename=".*\.(ad[ep]|ba[st]|chm|cmd|com|cpl|crt|dll|dot|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md[aetwz]|ms[cipt]|ocx|ops|pcd|pif|prf|pot|reg|sc[frt]|sh[bs]|sys|vb[es]?|ws[cfh]|xl[abdmtv]|\{[-0-9a-f]+\}.*)"

filename=".*\.(ace|ar[cj]|bh|bz(ip)?2|cab|t?gz|lha|lzh|[jrt]ar|uue|xxe|zip|zoo|z)"

Any thoughts?

Thanks.

-Andy

More information about the Mailman-Users mailing list