LISTSERV 16.0 - LINUX-L Archives

Subscriber's Corner

Email Lists

LINUX-L Archives

LINUX-L@LISTS.UFL.EDU

View:

Message:

[

First

Last

]

By Topic:

[

First

Last

]

By Author:

[

First

Last

]

Font:

Proportional Font

		LISTSERV Archives
		LINUX-L Home
		LINUX-L 2010

Subject:

procmailrc quarantine rules, more harm than good?

From:

"Charles R. Tompkins" <[log in to unmask]>

Reply-To:

[log in to unmask]

Date:

Thu, 4 Feb 2010 00:42:14 -0500

Content-Type:

text/plain

Parts/Attachments:

text/plain (28 lines)

My mailserver just quarantined a legit email with an attached pdf that 
matched the below procmail rules:

:0 B
* ^(UEsDBAoAAAAAA)
/spool/mail.quarantine/.

:0 B
* ^(UEsDBAoAA)
/spool/mail.quarantine/.

Here are lines grep'd out of the attachment, the string(s) appears 
several times:

hxQeZJ9j3wwcODPwP7pKuPvQu/HbAAAAAElFTkSuQmCCUEsDBAoAAAAAAAAAIQAS0co8siEAALIh
UEsDBAoAAAAAAAAAIQCaKHUY0gYAANIGAAAWAAAAd29yZC9tZWRpYS9pbWFnZTI2LnBuZ4lQTkcN
DvrNpygOxIEB6MB/AeIm1Hb+D6u+AAAAAElFTkSuQmCCUEsDBAoAAAAAAAAAIQAs1cAQs3kAALN5
QmCCUEsDBAoAAAAAAAAAIQAD4JZzPxQAAD8UAAAWAAAAd29yZC9tZWRpYS9pbWFnZTQyLnBuZ4lQ
LkoKB8KBcCAcCAfCgXAgHAgHwoFwIBwIB8KBlh34CwzG7V8nHCM/AAAAAElFTkSuQmCCUEsDBAoA

I am going to scan the stuffing out of the pdf tomorrow, but am 
wondering if these strings are still valid for catching malicious 
emails?  I inherited these rules and research on them looks antiquated. 
  They are redundant in security terms as the vast majority of mail 
sanitizing is done on other dedicated systems.

Thanks and apologies for cross-postings,
-Charles

Top of Message | Previous Page | Permalink

Search Archives

Advanced Options

Options

		Log In
		Get Password

		Search Archives

		Subscribe or Unsubscribe