Re: Unix Anti-Virus Recommendations

From: Joseph Tam (tam@math.ubc.ca)
Date: 03/06/02 

Date: Tue, 5 Mar 2002 17:47:37 -0800 (PST)
From: Joseph Tam <tam@math.ubc.ca>
To: focus-sun@securityfocus.com

Mark Baldwin wrote:
> I am looking for any recommendations on AV products that integrate with
> Sendmail on Solaris (8). I am currently exploring Mailscanner in
> conjunction with Sophos, and would appreciate any information on this or
> other products that you may have used.

For those that don't want to spend the money, but still implement
some sort of AV capability into sendmail, you can install this hack.
It patches sendmail to rename MIME attachments (fiddles with the extension)
so that a Windows mail reader will get confused and won't try to execute it.
The operation is reversible, but it forces the user to save to a file, rename
it, then execute. It's handy for viruses that haven't been fingerprinted
yet, or with users whose fingers outrun their brain or mail readers that
have been misconfigured to autoexec attachments.

It ought to be fairly easy to modify for the version of sendmail you have
(just as long as it's not too old) or to add new extensions. The simple
scanner can be fooled, but after running for a few months, I've had one
unintended change (EBay automatic notices with super-long URL's in the
message).

--------------------------------------------------------------------------------
Last updated: Dec 12, 2001 (Joseph Tam <tam@math.ubc.ca>)

This is a patch for sendmail 8.12.1 (sendmail-8.12.1/sendmail/collect.c)
that will scan the entire body of the message and look for MIME headers
that indicate a file attachment, then renames any attachment with
extensions

        ".exe", ".com", ".lnk", ".bat", ".pif",
        ".scr", ".asd", ".chm", ".cil", ".dll",
        ".hlp", ".hta", ".js" , ".nws", ".ocx",
        ".reg", ".shs", ".shb", ".vb" , ".wsc",
        ".wsf", ".wsh"

by replacing the ".," with "~" (e.g. "file.exe" -> "file~exe").

The original patch came from

        http://www.missing.net/vbscript.php3

To install the patch, unpack the sources for sendmail 8.12.1, then

        cd sendmail-8.12.1/sendmail
        patch < vbs-patch-8.12.1

then build and install sendmail.

Changes from vbs-patch-8.11.3:

        - Patches sendmail 8.12.1 source
        - Adds many more extensions to rename
        - more logging
        - Collapses test for "filename=" and "name=" to just "name="
        - Optimises extension search by starting search at end of "name="
        - made search for "vbs" case insensitive in Content-Type headers
        - minor style changes

--------------------------------------------------------------------------------
*** collect.c.orig Mon Sep 10 21:05:12 2001
--- collect.c Wed Dec 12 18:33:47 2001
***************
*** 22,28 ****
--- 22,146 ----
  static SM_FILE_T *collect_dfopen __P((ENVELOPE *));
  static SM_FILE_T *collect_eoh __P((ENVELOPE *, int, int));

+ #define TWEAKVBS 1
+ #ifdef TWEAKVBS
  /*
+ * Version four of the VBScript "neuter" patch for Sendmail 8.12.1
+ *
+ * AS BEFORE, USE AT YOUR OWN RISK!!!
+ *
+ * Make sure you have "O SuperSafe=True" set in sendmail.cf or this
+ * patch won't do squat.
+ */
+
+ /*
+ * case-insensitive strstr function
+ *
+ * Borrowed from the C Snippets collection at:
+ *
+ * http://www.strangecreations.com/library/snippets
+ *
+ * Rev History: 05/05/00 Jon Yarden (cleaned for visiblity)
+ * 07/04/95 Bob Stout ANSI-fy
+ * 02/03/94 Fred Cole Original
+ */
+ char *stristr(const char *haystack, const char *needle)
+ {
+ char *pptr, *sptr, *start;
+ unsigned int slen, plen;
+
+ start = (char *)haystack;
+ pptr = (char *)needle;
+ slen = strlen(haystack);
+ plen = strlen(needle);
+
+ while (slen >= plen) {
+ while (toupper(*start) != toupper(*needle)) {
+ start++;
+ slen--;
+ if (slen < plen) return (char *)NULL;
+ }
+
+ sptr = start;
+ pptr = (char *)needle;
+
+ while (toupper(*sptr) == toupper(*pptr)) {
+ sptr++;
+ pptr++;
+
+ if (*pptr == '\0') return (start);
+ }
+ start++;
+ slen--;
+ }
+ return (char *)NULL;
+ }
+
+ /*
+ * neuter(str) - looks for a list of bad Windows file extensions in argument
+ * str, and renames the extension found by replacing the first character
+ * with "~".
+ */
+ static void neuter (char *str, const ENVELOPE *e)
+ {
+ int i;
+ char *p, message[128];
+ const static char *ext_tab[] = {
+ ".exe", ".com", ".lnk", ".bat", ".pif",
+ ".scr", ".asd", ".chm", ".cil", ".dll",
+ ".hlp", ".hta", ".js" , ".nws", ".ocx",
+ ".reg", ".shs", ".shb", ".vb" , ".wsc",
+ ".wsf", ".wsh",
+ (char *)NULL
+ };
+
+ for (i=0; ext_tab[i]; i++) {
+ p = str;
+ while ((p=stristr(p,ext_tab[i]))) {
+ *p='~';
+ if (LogLevel>=2) {
+ sprintf(message,"collect: tweaked file extension (%s).",ext_tab[i]);
+ sm_syslog(LOG_WARNING,e->e_id,message);
+ }
+ }
+ }
+ }
+
+ static void sanitizeVBS (const char *dfname, const ENVELOPE *e) {
+ FILE *fp1, *fp2;
+ char *p, *q, line[4096];
+ char tmpfile[MAXQFNAME+5];
+
+ if (!(fp1=fopen(dfname,"r"))) return;
+ strcpy(tmpfile,dfname);
+ strcat(tmpfile,".tmp");
+ if (!(fp2=fopen(tmpfile,"w"))) return;
+
+ while ( fgets(line,4095,fp1) ) {
+
+ if ( (p=stristr(line,"name=")) )
+ neuter(&p[5],e);
+ else if ( (p=strstr(line,"Content-Type:")) ) {
+ /*
+ * Tom Lislegaard <tl@cmr.no> contributed this:
+ * "I added the following tweak to turn type VBSFile into XBSFile."
+ */
+ if ( (q=stristr(p,"vbs")) ) {
+ *q = 'X';
+ if (LogLevel>=2)
+ sm_syslog(LOG_WARNING,e->e_id,"collect: tweaked filetype VBS to XBS.");
+ }
+ }
+ fputs(line,fp2);
+ }
+
+ fclose(fp1);
+ fclose(fp2);
+ rename(tmpfile,dfname);
+ }
+ #endif
+
+ /*
  ** COLLECT_EOH -- end-of-header processing in collect()
  **
  ** Called by collect() when it encounters the blank line
***************
*** 829,834 ****
--- 947,955 ----
          if (SuperSafe == SAFE_REALLY && !bitset(EF_FATALERRS, e->e_flags))
          {
                  char *dfname = queuename(e, DATAFL_LETTER);
+ #ifdef TWEAKVBS
+ sanitizeVBS(dfname,e);
+ #endif
                  if ((e->e_dfp = sm_io_open(SmFtStdio, SM_TIME_DEFAULT, dfname,
                                             SM_IO_RDONLY, NULL)) == NULL)
                  {
--------------------------------------------------------------------------------

Joseph Tam <tam@math.ubc.ca>

Relevant Pages

  • Re: Sendmail loses ground [NetBSD 4.0]
    ... almost all extensions can be done via milters.) ... can still be done with/to Sendmail 8. ... Dynamically-loadable extensions. ... rulesets to choose queue groups, but an API for managing and aging ...
    (comp.mail.sendmail)
  • Sendmail Extension
    ... The 'extensions' page of the www.tcl.tk website is still in repairs ... and the links to the 'Sendmail' extension aren't working. ...
    (comp.lang.tcl)
  • Re: Sendmail and attachments
    ... Group Information Systems & Technology ... Subject: Sendmail and attachments ... To join/leave the list, search archives, change list settings, * ...
    (comp.sys.hp.mpe)
  • Re: Telnet port 25
    ... obscure sendmail bug, or when a remote site is misconfigured and keeps ... > CONFIDENTIALITY NOTICE: This email communication and any attachments may ...
    (AIX-L)
  • Attachment corruption with patched 8.12.11 (and patch fuzz)
    ... proceed to apply the released patch to our installation of sendmail ... patch and that didn't seem normal to us so my first question is whether ... affect it (both 260K and 8M attachments are affected). ... Here is some details about how it is built: ...
    (comp.mail.sendmail)