sanitizer-1.76/0000755000175000017500000000000010357724607011554 5ustar agiagisanitizer-1.76/CHANGELOG.sanitizer0000644000175000017500000013046010356474463015002 0ustar agiagi($Id: CHANGELOG.sanitizer,v 1.95 2006/01/03 13:16:35 bre Exp $) NOTE: Sanitizer development is for the most part sponsored by FRISK Software International, http://www.f-prot.com/. Please consider buying their anti-virus products to show your appreciation. Revision 1.76: (January 03, 2006) Fixed a typo in the WMF recognition code. One of the three "magic" signatures was invalid. Revision 1.75: (January 02, 2006) Added code to recognize the most common/important file formats based on actual file contents, not just file name and MIME-type. Added magic to detect WMF files, to allow reliable blacklisting of said files, see http://isc.sans.org/diary.php?storyid=994 for info. Added generic code to detect when people try to disguise non-JPEG/GIF/PNG as such files and defang such attachments. Removed the references from the HTML Cleaner's output, the owners of the linked web sites were unhappy because their URLs were being associated with spam as a result of being in Anomy's verbose logs. Revision 1.74: (August 05, 2005) Fixed a bug where disinfection wouldn't result in the modification count of a message being incremented. This didn't matter to users of sanitizer.pl, however some 3rd party systems relied on the modification count to determine whether to use the Sanitizer's output or not. This is a critical fix for those systems. Revision 1.73: (August 05, 2005) Fixed a bug in MIME parser when encountering junk headers at the very beginning of a new MIME part. Cleaned up some of the test cases for more recent versions of F-Prot AntiVirus, added a version check to the F-Prot regression test. Revision 1.72: (July 10, 2005) Fixed bug in code which detects Date: header buffer overflows, it was false-alarming on Yahoo DomainKeys headers. Lengthened maximum word-length in headers from 196 to 256 bytes, again to decrease the odds that we'll break DomainKeys. Added sanity checks to configuration parser, to make sure that settings such as msg_defanged and msg_blacklisted, which get used within message headers contain only valid characters (0-9, A-Z, a-z and -). Test-cases sanitizer.uu-rfc822 and sanitizer.logging are updated. Revision 1.71: (May 25, 2005) Fixed minor bug in quoted-printable encoding, as reported by Michal Weinfurtner . Fixed crashing behavior when multiple Content-Transfer-Encoding headers were present in the same message part. Added mailblogger.pl, to the distribution. This program has nothing to do with security, but uses the MIMEStream parser to extract images from e-mail and can subsequently generate thumbnails and re-post both text and images to a web-site, to implement e-mail->www gateway functionality. I use it to blog from my cell phone. :-) Revision 1.70: (January 4, 2005) Raised limits on max header size from approximately 64k to 256k. Made error reporting Added support for new F-Prot Daemon result codes to Sanitizer::FProt. Revision 1.69: (September 2, 2004) Added zip_policy.pl from Advosys (http://advosys.ca/) to the contrib/ directory, after being invited to do so by Derrick Webber of Advosys. Added sanitizer.procmail ruleset to contrib/, illustrating how to implement a quarantine and add custom headers to infected e-mails. Fixed priority bug in filename detection code, which would in some cases give higher priority to Content-IDs than it gave to the MIME filename attributes. Made the file-name/MIME-type sanity checks configurable (default on) via. the feat_sane_names variable. Set to 0 to disable. Wrote very simple HTTP client for communication with F-Prot daemon, thus eliminating the dependancy on LWP::Simple. Fixed incorrect changelog entry below (in the entry for rev 1.57 the word "ScanFile" was used where it should have said "FileScan"), and added support for scripts which want to pass the name of a detected infection using the a line "Anomy-FileScan-VirusName: blah" like. This makes the following new variables available to the file replacement tempalte: %VIRUSNAME - Propogated from Anomy-FileScan-VirusName %SUMMARY - Propogated from Anomy-FileScan-Summary %DESCRIPTION - Propogated from Anomy-FileScan-Description This corrects problems, implements and expands on suggestions (posted here http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=235352) by Derrick Hudson (dman at dman13.dyndns.org). Revision 1.68: (May 7, 2004) Added system_io_file variable to allow plugging in of custom replacements for the IO::File module, to facilitate internal FRISK development. Fixed a problem with the mime-type auto-detection code which would corrupt certain messages when feat_log_after was enabled. This probably also have caused problems in other cases, but so far none have been reported. Include the TNEF hooks in Sanitizer in default distribution and made inclusion of Anomy::TNEFStream "lazy" to save cycles in one-shot modes. Note that the Anomy::TNEFStream modules still isn't distributed by default. Tuned the MIME parser to catch more of the exploits illustrated on http://testvirus.org/. Also fixed a bug in the position counting. These two changes combined effect almost all of the test cases (lines containing pos= and MIME info almost all change). Added the following options to configure the HTML cleaner (all are off by default): feat_html_noexe Disallow links to executables feat_html_unknown Allow unknown HTML tags feat_html_paranoid Paranoid HTML Cleaner mode, bans all src= links and enables feat_html_noexe paranoia as well. Revision 1.67: (March 23, 2004) Added code to decrease the odds that attachments with content-IDs ending in ".com" get mistakenly treated as executables. Tweaked MIME parsing to catch a few more odd virus-generated messages. Obfuscated some of the testcase results using simple rot13 encoding, so the Anomy .tar.gz file wouldn't be flagged as "infected" by various virus scanners. Revision 1.66: (January 12, 2004) Fixed an endless loop caused by an error in the uuencode detection routine. Thanks to Paul M. Hirsch for reporting this one. Revision 1.65: (December 17, 2003) Fixed a bug with attachment deletion, in some cases things wouldn't actually get removed, but would be appended after the "attachment removed" message. Revision 1.64: (December 09, 2003) Modified handling of quoted-printable encoded messages in order to improve security and avoid the often-reported "PDF corruption problem" caused by silly mail clients which QP-encode binary files. Handling of broken MIME created by a couple in-the-wild viruses has also been fixed. This is a highly experimental release, use with care! Revision 1.63: (July 08, 2003) Fixed a bug in HTML cleaner to do with XML-style tag termination. Improved the MIME parser to handle better the obfuscated MIME created by the Ronoper worm. Revision 1.62: (June 19, 2003) Updated HTMLCleaner to avoid endless loop in s/// on Perl 5.00503. Updated HTMLClenaer and Sanitizer to allow users to specify in the configuration file certain replacement tags or replacement attribute names to use in place of "DEFANGED_". Added the default replacement tag

for defanged

tags. So now, defanged
tags will be replaced with

instead of just The syntax for configuring the HTML cleaner is rather ugly, and may be changed in the future. Updated testall.sh script to warn the user if he attempts to use the Sanitizer in an UTF-8 enabled environment (LANG=*.UTF8) and added a instructions regarding unicode issues in the file UNICODE.TXT. Test cases have been updated to work properly on FreeBSD 4.6.2 with Perl 5.00503, and on Unicode enabled RedHat 8 or 9 machines. Revision 1.61: (unreleased) Added recognition of the Content-Description and Content-ID headers, made the file name policy code treat them as if they might contain filenames as well in some cases. Made the MIME parser tolerate spaces in attribute definitions (e.g. Filename = "Foo.exe" instead of Filename="Foo.exe"). Also updated the MIME parser so "type=..." attributes would be interpreted separately from the Content-Type. Minor fixes to filename policy code. Minor fixes to the testcases. Revision 1.60: (May 28, 2003) Minor update to MIME type checking rules, to allow more legal MIME types. Made the multipart detection code less aggressive, in small text messages it would mistake common ascii-graphic signatures for message boundaries and mess up the parsing quite badly. Made the filename policy code check ALL possible file names against each rule, instead of just checking the "default" one. If feat_mime_files is set, then the default file-name for that mime type will be checked as well. This is a major improvement to security, but requires that filename rules are ordered so that that all DROP/DEFANG/MANGLE rules precede any ACCEPT rules. Made the sanitizer read /etc/mime.types (if it exists) to generate a more complete list of default filenames for unnamed parts. Revision 1.59: (May 9, 2003) Fixed detection and handling of GPG/PGP messages. This corrects the broken PGP handling introduced by revision 1.58, as reported by Rick Johnson (rjohnson at medata dot com). Revision 1.58: (May 8, 2003) Added the "try" prefix for use within configuration files which include other configuration files. This makes loading of the file optional - if it doesn't exist or is unreadable the Sanitizer simply ignores it. Minor change to the sanitizer.appledouble check, as suggested by Dag Nummedal (nummedal at ed.ntnu.no). Made text/html parts exempt from feat_force_name behaviore, to solve unfortunate display problems with Outlook clients as reported by David Santinoli (david at santinoli . com). Also fixed a minor bug in the feat_force_name behavior. Made minor improvements to header parsing code, to handle the broken MIME generated by a number of viruses out there. Changed the header rewriting code to quote attribute values only when they contain non-alphanumeric characters. This is done because some versions of Eudora apparently don't like format="flowed", but do like format=flowed. Fixed a minor bug in the HTML cleaner, where it was missing some invalid attribute definitions which Explorer will accept. Thanks to Paul Wallingford (paul at cybergestalt dot net) for the report. Added the Advosys tnef2multipart.pl script to the contrib/ directory. Added caching to the QP encode/decode routines, to decrease the number of times that a different QP encoding strategy is chosen for a given string. This won't solve QP-related encoding/decoding problems entirely, but it may decrease their frequency. More changes to MIME parser, to handle broken messages created by the Bridex worm and a few other odd massmailer worms/viruses. This, again, modifies white-space and log offsets in the test-cases. Revision 1.57: (November 14, 2002) Fixed a MIME header bug introduced in revision 1.56 by the Bugbear fix. The bug was causing certain MIME headers to be corrupted, primarily effecting recipeints of signed or encripted mail. Thanks to Ton Vandepoel (tom.vandepoel at be.ubizen.com) for the bug report. Augumented the config file syntax to allow any directive to be prefixed with "before X" or "after X ", where X is a valid Unix timestamp. Revision 1.56: (October 22, 2002) Modified the MIME attribute parser slightly, so it will detect the entire filename as sent by Bugbear and other viruses, in spite of those names not conforming to the MIME standard. Added more detection of potential security abuses based on invalid RFC822 comments. Added expiramental support for more detailed communication between scanners and the Sanitizer itself. STDOUT from file scanners will be scanned for the following tokens: Anomy-FileScan-Result: CODE Anomy-FileScan-Summary: summary Anomy-FileScan-Description: Text description of result Anomy-FileScan-NewName: newname.bla Anomy-FileScan-NewFile: /path/to/new/attachment/data Anomy-FileScan-NewType: MIMETYPE Anomy-FileScan-NewEnc: ENCODING The FileScan-Result code overrides the exit code of the scan program, and the summary and description fields override the defaults built into the sanitizer. As a side effect of providing a new name or new data file, the part encoding will be forced to Base64 - unless some other encoding is explicitly requested. A sample scanner script which uses some of these features is the zip_script in the contrib/ directory (a "scanner" which will encapsulate all "scanned" attachments in a ZIP file). Revision 1.55: (October 08, 2002) Fixed dependancies in sanitizer.pl, so it no longer requires LWP::Simple unless people are actually using the FProt daemon scanner. Modified the HTMLCleaner rules to avoid a rendering bug in Eudora's built-in HTML viewer, which was triggered primarily by defanging of Outlook's HTML messages. Revision 1.54: (September 18, 2002) Added the hcp:// protocol to the list of banned href= and src= destinations in HTMLCleaner.pm, for reasons discussed here: http://online.securityfocus.com/archive/1/287482/2002-08-15/2002-08-21/0 Tightened security on href= attributes in general. Revision 1.53: (September 17, 2002) Fixed a minor bug to do with F-Prot daemon support in 1.52. Revision 1.52: (unreleased) Added built-in support for F-Prot Antivirus for Linux, both the small business (command line) and enterprise (daemon) versions. The command line client is auto-detected and used if present, use of the daemon can be requested by invoking sanitizer.pl with "-fprotd" as the first argument. Enterprise customers will be able to enable automatic disinfection of incoming messages, by adding the "-disinf" parameter to the fprotd command line in the file_list_2 scanner definition, and will see the name of the detected threat in the Sanitizer logs. The default policy for infected content is to mangle the filename and MIME type, but still pass the data on to the user. Upgrading this to a "drop" or "save" policy is recommended. Note: Use of F-Prot on machines where it is available be manually disabled in two ways: either invoke sanitizer.pl with "-nofprot" as the first argument or redefine file_list_2. Revision 1.51: (unreleased) Created feat_no_partial (enabled by default), which defangs any incoming message/partial messages, to address the problems described in http://www.securiteam.com/securitynews/5YP0A0K8CM.html Added support treating the first part of a message/partial message the same was as if it were message/rfc822. This should catch any security risks present in the *first part*, but not any subsequent parts. Fixed a bunch of other minor things. Revision 1.50: (unreleased) Improved boundary guessing routine and header parser to deal with still more non-RFC compliant messages. This still needs work. Fixed the problem with $m being in the range 0-11 instead of 1-12, when used in filename templates. Thanks to Paulius Bulotas (paulius at kaktusas.org) for the report. Fixed minor logging bug to do with non-MIME messages and feat_log_inline=2. Added a few tags and attributes common to email to the HTML cleaner, to lower the noise level. Added GNU GPL, GNU LGPL and Artistic Licenses to the distribution (in the file COPYING). This bloats the distribution somewhat, but is necessary for strict compliance with the GNU licenses. Added module for interfacing Anomy with the daemon version of F-Prot Antivirus for Linux, which is significantly faster than the command-line version. The daemon version will most likely be made available to purchasers of enterprise-class licenses for F-Prot Antivirus for Linux. Fixed a bug when truncating unusually long MIME fields, as reported by Will Day (wd at hpgx.net). Updated default configuration to recognize blacklisted filenames with trailing dots (which are ignored by Windows). Added protection against MIME recursion DoS attacks. The Sanitizer itself was vulnerable to such attacks. The default maximum allowed recursion level is 20, which should be more than enough. This value can be tweaked by setting the max_mime_depth variable. Fixed a problem which occured when re-encoding Base64 encoded attachements with odd line lengths. Thanks to Joerg Lenneis for the bug report. Revision 1.49: (February 15, 2002) Fixed a minor white-space related bug in MIME header parsing. Made the configuration file parser tolerant of Windows/DOS formatted text. Created a seperate distribution containing only the stuff used by the HTML cleaner, for users of David F. Skoll's MIMEDefang program. Made minor tweaks to the messages logged by the HTML cleaner, added code to prevent re-defanging of HTML tag attributes. Implemented a much more elegant fix to the lack-of-trailing-newlines buglet fixed in 1.47. This should make all those extra newlines go away again... Added "branch" functionality to the file policy mechanism. By appending ^N (where N is a number) to an "unknown" or "warn" policy, the policy matcher can be made to branch to a given rule instead of evaluating the next rule sequentially. Improved UUencoded attachment detection to handle null modes and protect users against the silly Outlook "begin blah" annoyance, as described here: http://www.rodos.net/outlook/#begin Made the content header parser deal better with certain RFC-incompliant MIME types generated by broken PGP plugins. Added a feat_fixmime check to rewrite the offending headers so they comply with standards. Fixed broken file_list_7 in default policy - thanks to Tuomas Lukinmaa, for bringing this to my attention. Added code to defang bare CR characters in message headers, due to the following Outlook bug (enabled by feat_fixmime): http://www.openoffice.nl/special_interest/outlookbug.html Revision 1.48: (January 04, 2002) Happy new year! Updated copyright notices again. Improved HTMLCleaner to properly handle STYLE tags which have attributes. Thanks to Andrew (andrew at ledge.co.za) for pointing this out. Explicitly set all temporary files opened to binary mode, to improve portability. Improved newline handling code a bit more - it now properly handles differing newline conventions within embedded/encoded parts of the same message. Revision 1.47: (not released) Added feat_newlines, to allow people to specify what sort of newlines to use in the sanitizer's output. Default (0) is to use a newline convention "autodetected" from the first chunk of data. Attempted to address a number of platform dependant newline issues within the code itself - this still needs some work though. Added the "warn" policy, which acts just like "unknown" except for the fact that it also increments the modification counter. Added a test for this to the filenames test. Fixed a buglet to do with a lack of trailing newlines in parts which are re-encoded as 8bit instead of Base64 when feat_log_after is in use. This has the side effect of adding newlines to almost all of the test cases. Updated copyright notice in a few files to mention the year 2001. Seemed fitting to fix that before we enter 2002... Thanks to Dave Cridland for pointing that out. :-) Moved John Hardin's macro scanning code into the module Anomy::Sanitizer::MacroScanner, to facilitate sharing of that code between different implementations of the sanitizer engine. Revision 1.46: (skipped) Revision 1.45: (December 12, 2001) WARNING: Scoring works again - but not like it used to! WARNING: The default configuration has been updated quite a bit, and does some NEW THINGS. You have been warned. Most test cases were modified for this release (I've gotta start releasing things more often...). Almost complete rewrite of HTML sanitization code, to switch from a default-allow to default-deny strategy. Primary benefits: - Old problem with blocks. if (length($$data_ptr) < $self->{"conf"}->{"MaxLeftoverSize"}) { $self->{"style_count"} += ($$data_ptr =~ s/<(style[^<>]*)>/ $self->record_style($1) /geis); } $self->{"style_count"} -= ($$data_ptr =~ s/]+)(<\/style>)/<$self->{styles}->[$1]$2>$3/gis); $self->{"style_count"} -= ($$data_ptr =~ s/]+){styles}->[$1]>$2]+)$//s) { $leftovers = $1; if (length($leftovers) > $self->{"conf"}->{"MaxLeftoverSize"}) { if (($self->{"style_count"} > 0) && # Fix this long evil tag we artificially spawned above... (my $n = ($leftovers =~ s/]*)$/<$self->{styles}->[$1]>$2/is))) { $self->{"style_count"} -= $n; } else { my $lo = $leftovers; $lo =~ s/[<>]/_/gs; $lo =~ s/\s+/ /gs; $log->entry("split-html", SLOG_WARNING|SLOG_INFO, { id => ${ $self->{"mod_count"} }, begin => substr($lo, 0, 25), end => substr($lo, -25, -1) }, "Split really long tag (over 2k):\n". " >>%begin% ... %end%<<"); $$data_ptr .= $leftovers . '>'; $leftovers = "<". $self->{"msg_defanged"} .".".${ $self->{"mod_count"} }." "; ${ $self->{"mod_count"} }++; } } } # Stupid, stupid, stupid Netscape 4 scipting entities... $$data_ptr =~ s/\&\{/$self->{"msg_defanged"}_&\{/g if (($self->{"html_count"} > 10) || ($conf->{"Paranoid"})); print STDERR "About to clean tags: $$data_ptr\n" if ($ENV{DEBUG_HTMLCLEANER}); # Defang untrusted HTML content $$data_ptr =~ s/(<\/?[A-Za-z]+[A-Za-z0-9\#\&\;\:\!_\/-]*(\s+(\'[^\']*\'|\"[^\"]*\"|[^>\"\']+)*)?\s*\/?>)/ $self->cleanTag($1) /gse; print STDERR "Done cleaning tags...\n" if ($ENV{DEBUG_HTMLCLEANER}); return $leftovers; } sub test { my $hash = shift || { }; $hash->{"Log"} = new Anomy::Log; my $cleaner = new Anomy::HTMLCleaner $hash; my $t; my $l; while ($t = $l.) { $l = $cleaner->clean(\$t); print $t; } print $hash->{"Log"}->print_as_text(), "\n"; } 1 ; sanitizer-1.76/bin/Anomy/Sanitizer.pm0000755000175000017500000024525310356254036015724 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $'; my $version = 'Anomy 0.0.0 : Sanitizer.pm'; # ## Copyright (c) 2000-2005 Bjarni R. Einarsson. All rights reserved. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.f-prot.com/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This is the email sanitizer engine. # # Most of the ideas in this script were borrowed from John D. Hardin's # "security through procmail" ruleset, which is available here: # ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html # # Note that this script is a little differently licensed from the rest # of the Anomy tools because I borrowed GPL'd code from John's script. # # Documentation and new versions are here: http://mailtools.anomy.net/ # ############################################################################# # Function naming conventions used in this file: # # lowercase_names: public object methods # BiCapitlizedNames: private object methods # CAPITALIZED_NAMES: functions (not assigned to an object) # ##[ Package definition ]###################################################### package Anomy::Sanitizer; use strict; use Anomy::Log; use Anomy::MIMEStream; use Anomy::HTMLCleaner; use Anomy::Sanitizer::FileTypes qw( check_file_type ); use IO::File; use Digest::MD5; use bytes; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.94 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw( ); @EXPORT_OK = qw( ); }; ##[ Default configuration ]################################################### my $default_config = { # Features. # Disable stuff by replacing 1s with 0s. # "feat_verbose" => 1, # Warn user about unscanned parts and Other Stuff. "feat_log_inline" => 2, # Inline logs: 0 = Off, 1 = Maybe, 2 = Force "feat_log_stderr" => 0, # Print log to stderr. "feat_log_xml" => 0, # Attachment logs: XML format. "feat_log_trace" => 0, # Attachment logs: Complete (all trace info). "feat_log_after" => 0, # Scratch area sizes - see below. 0 = Off. "feat_files" => 1, # Enable filename-based policy decisions. "feat_sane_names" => 1, # Make sure names match content & mime-type. "feat_mime_files" => 0, # Always check the mime-type's default name too. "feat_force_name" => 0, # Force all parts (except text/plain or # text/html parts) to have file names. "feat_boundaries" => 0, # Replace all boundary strings with our own. # NOTE: Always breaks PGP/MIME messages! "feat_lengths" => 1, # Protect against buffer overflows. "feat_scripts" => 1, # Defang incoming shell scripts. "feat_html" => 1, # Defang active HTML content. "feat_html_noexe" => 0, # Disallow links to executables "feat_html_unknown" => 0, # Allow unknown HTML tags (default allow) "feat_html_paranoid" => 0, # Paranoid HTML Cleaner mode "feat_webbugs" => 0, # Defang "web bugs". "feat_trust_pgp" => 0, # Trust PGP signed messages -> don't scan them "feat_uuencoded" => 1, # Sanitized UU encoded attachments. "feat_forwards" => 1, # Sanitize forwarded messages. "feat_testing" => 0, # Enable to turn off randomness, for testcases "feat_fixmime" => 1, # Try and fix invalid MIME. "feat_kill_tnef" => 0, # Convert MS-TNEF attachments to MIME. "feat_no_partial" => 1, # Defang any incoming message/partial mail. "feat_paranoid" => 0, # Be very paranoid about MIME headers etc. "feat_newlines" => 0, # 0=Auto, 1=lf (Unix), 2=crlf (Win), 3=cr (Mac) # ... 4=no newline mods "score_bad" => 0, # Any message requring this many modifications # will cause the sanitizer to return a non-zero # exit code after processing the entire message. # 0=off. # The "feat_log_after" feature tells the sanitizer to force the message # to be multipart/* and reserve at least N-100 bytes within the header of # each text/plain or text/html part. This allows the resulting output # file to be edited to add messages once the sanitization is completed, # without having to rewrite the entire file when short messages are # inserted. A log-event named "scratch-space" is generated each time # such space is added, to allow a log-hook to record where (give or take # a few bytes) within the stream the space was added. ########################################################################## # If feat_files is non-zero, the following rules will be used to decide # what to do with an attachment. The rules are all filename based, each # "list" being a regulaur expression. # # The file is compared to each list in order (1 to file_list_max) and on # the first match the defined policy is enforced. If a file matches no # lists the default policy is used. # # Valid policies are: # # mangle - Completely ofbuscates the file name. # defang - Defangs the file name, without making it completely # illegible. # accept - Attachment is accepted as-is (possibly subject to # HTML or shell script defanging though). # save - Save the attachment to the "file_save_dir" directory, # replace it with an informative message. # drop - Delete the attachment # unknown - Indeterminate result, check the next policy. # warn - Same as unknown, but also increments the mod counter. # # Appending an exclamation mark (!) to any policy (e.g. drop!) will, when # matched, increase the modification counter past the score_bad threshold, # to force the sanitizer to return a non-zero exit code. # # If a policy has four values, e.g. "save:save!:drop:save", then the file # will be scanned for viruses using an external virus scanner. Which of # the four policies is used then depends on whether the result is "clean" # (1st), "successfully disinfected" (2nd), "unsuccessfully disinfected" # (3rd) or "scan failed" (4th). # # The scanner definitions are as follows: # # "e1:e2:e3:/path/to/scanner args ... %FILENAME ..." # # The e1, e2, e3 are comma-delimited lists of exit codes that match # the four different "interesting" return values we exped scanners to # return. Unexpected values are assumed to be in the "scan failed" # category. # # In addition to the %FILENAME variable, the following variables are # also expanded: # # %ATTNAME The name of the attachment itself. # %REPLY_TO The apparent reply-to address for the message. # %ERRORS_TO The apparent error-address for the message. # %HEADER() The named header of the top level message. The # name must be in lowercase, ex: %HEADER(subject). # # This is the file name template, used for creating (temporary?) files # when scanning or saving attachments. The following substitutions are # supported: # $d - Day of month (01-31) # $m - Month number (01-12) # $y - Two digit year (00-99) # $Y - Four digit year # $H - Hour (00-23) # $M - Minute (00-59) # $S - Second (00-59) # # $P - This process's PID, in hex. # $T - The current Unix time, in hex. # $F - A safe version of the original file name. # $ - A random character, from [A-Z0-9]. # # It's recommended that all file name templates contain a few '$' # characters, since a new name will be generated (up to five times, # after that it will give up) if the chosen one is already in use. # More '$' substitions will mean fewer collisions. Note that any # directories must exist, the sanitizer will NOT create them for you. # So if you are using random directory hashing make sure to create # all the directories ahead of time! # "file_name_tpl" => '/tmp/att-$T-$$$-$F', # How many rules are available? "file_list_rules" => 15, # Black list 1: Double-extension attacks and known trojans. # Upgrading the policy to "drop" or "save" is highly recommended. "file_list_1_scanner" => 0, "file_list_1_policy" => "mangle", "file_list_1" => '(?i)(\.'. # Double extension executables files '([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))'. # Known trojans/worms currently in the wild. '|(ants3set|wtc|readme|sslpatch)\.exe)\.?$', # Reserved for plugging in your favorite virus scanners and custom blacklists. "file_list_2_policy" => 0, "file_list_2_scanner" => 0, "file_list_2" => 0, "file_list_3_policy" => 0, "file_list_3_scanner" => 0, "file_list_3" => 0, "file_list_4_policy" => 0, "file_list_4_scanner" => 0, "file_list_4" => 0, "file_list_5_policy" => 0, "file_list_5_scanner" => 0, "file_list_5" => 0, "file_list_6_policy" => 0, "file_list_6_scanner" => 0, "file_list_6" => 0, # Black list 2: Executable files. These /should/ be dropped... "file_list_7_scanner" => 0, "file_list_7_policy" => "defang", "file_list_7" => '(?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp'. '|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]'. '|lnk|dll)\.?$', # Reserved ... "file_list_8_policy" => 0, "file_list_8_scanner" => 0, "file_list_8" => 0, # White list 1: Static data - safe if anything is. "file_list_9_scanner" => 0, "file_list_9_policy" => "accept", "file_list_9" => '(?i)\.'. # Graphics '(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf'. '|fon|[ot]tf|bmp|ico'. # Sound '|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]'. # Plain text, compiled-language source code, HTML, etc. '|t(xt|ex)|csv|l(og|yx)|ini'. '|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?'. '|[ja]sp'. '|[sp]?html?|css|xml'. # Compressed? ')(\.[gb]?z\d?)?\.?$', # Reserved ... "file_list_10_policy" => 0, "file_list_10_scanner" => 0, "file_list_10" => 0, # White list 2: Necessary evils: Archives. "file_list_11_scanner" => 0, "file_list_11_policy" => "accept", "file_list_11" => '(?i)\.'. '(z(ip|oo)|ar[cj]|lh[az]|[tr]ar|r\d\d|rpm|deb|slp|tgz|cab'. '|iso|cif|uue?|jar'. # Compressed? ')(\.[gb]?z\d?)?\.?$', # Reserved ... "file_list_12_policy" => 0, "file_list_12_scanner" => 0, "file_list_12" => 0, # White list 3: Necessary evils: Microsoft Office files "file_list_13_scanner" => 0, "file_list_13_policy" => "accept", "file_list_13" => '(?i)\.'. # Microsoft Office documents '(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw]'. # Compressed? ')(\.[gb]?z\d?)?\.?$', # Reserved ... "file_list_14_policy" => 0, "file_list_14_scanner" => 0, "file_list_14" => 0, # White list 4: Necessary evils: Miscellanious "file_list_15_scanner" => 0, "file_list_15_policy" => "accept", "file_list_15" => '(?i)\.'. # Email-related files - some of these may be somewhat risky. '(mbx|vcf|p7[sm]|ics|pgp|gpg|asc'. # Misc. data files. '|3ds|arg|dwg|dxf|dwt|dng|dbf|dcl|lsp|mp[apdwe]|psd|prc'. '|qt|stx|swf'. # Compressed? ')(\.[gb]?z\d?)?\.?$', # This defines the default policy, for filenames that don't match # any of the preceding lists. "file_default_policy" => "defang", # The default name for files of an unrecognized MIME-type which lack # a file-name. The default is to treat such files as text files, # both for backwards compatibility and to increase the chances that # unnamed attachments get treated "safely" by the recpient's MUA. "file_default_filename" => "unnamed.txt", # Characters permitted in file names - the default is most of the # ISO-8859-1 character set. In addition to these, the characters # "." and "-" are always allowed. Set to 0 to allow all characters. "file_characters" => '\ !\#\%\(\)\+,0-9;=\?A-Z\[\]_a-z\{\}\~' .'¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅ' .'ÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéê' .'ëìíîïðñòóôõö÷øùúûüýþÿ', # HTML cleaner configuration "html_cleaner_body" => '"tag:div" => "p"', "html_cleaner_header" => '', # MIME attributes for inline sanitizer logs. "sanitizer_log_disp" => 'attachment; filename="sanitizer.log"', "sanitizer_log_type" => 'text/sanitizer-log; charset="iso-8859-1"', ########################################################################## # Headers to add if they are currently missing, since some email # clients expect them to be present. This only applies to the top-level # message headers. "force_header_1" => "MIME-Version: 1.0", "force_header_2" => "Content-Type: text/plain; charset=\"%DEF_CHARSET\"", "force_header_3" => "Subject: (no subject)", "force_header_4" => 0, "force_header_5" => 0, "force_header_6" => 0, "force_header_7" => 0, "force_header_8" => 0, "force_header_9" => 0, "force_header_10" => 0, # Number of headers we are interested in forcing, 0 disables. "force_headers" => 0, ########################################################################## # Messages. Translate? # "header_info" => "X-Sanitizer: This message has been sanitized!", "header_url" => "X-Sanitizer-URL: http://mailtools.anomy.net/", "header_rev" => "X-Sanitizer-Rev: $revision", "var_def_charset" => "iso-8859-1", "msg_file_drop" => "****\012NOTE: An attachment was deleted from this part of the message,\012". "because it failed one or more checks by the virus scanning system.\012". "See the attached sanitization log for more details or contact your\012". "system administrator.\012\012". "The removed attachment's name was:\012\012". "\t%FILENAME (evaluated as %CHECKEDNAME)\012\012". "It might be a good idea to contact the sender and warn them that\012". "their system is infected.\012****\012", "msg_file_save" => "****\012NOTE: An attachment was deleted from this part of the message,\012". "because it failed one or more checks by the virus scanning system.\012". "The file has been quarantined on the mail server, with the following\012". "file name:\012\012". "\t%SAVEDNAME\012\012". "The removed attachment's original name was:\012\012". "\t%FILENAME (evaluated as %CHECKEDNAME)\012\012". "It is recommended that you contact your system administrator if you\012". "need access to the file. It might also be a good idea to contact the\012". "sender, and warn them that their system may be infected.\012****\012", "msg_pgp_warning" => "WARNING: The following data has NOT been sanitized, to ensure\012". " that the signature remains intact, if valid. Please\012". " be careful if you open any enclosed attachments.\012\012", "msg_log_prefix" => "This message has been 'sanitized'. This means that potentially\012". "dangerous content has been rewritten or removed. The following\012". "log describes which actions were taken.\012", "msg_usage" => "$version\012$revision\012\012". "Usage: sanitizer.pl [ 'variable op value' | 'filename' ] ... \012". "\012". "FIXME: unwritten\012", "msg_defanged" => "DEFANGED", "msg_blacklisted" => "BLACKLISTED", "msg_current" => "Current configuration:\012", "msg_signature" => "$version\012$revision\012", # Limits "max_conf_recursion" => 5, "max_mime_depth" => 20, # System mime types... "system_mime_types" => "/etc/mime.types", "system_io_file" => "IO::File", ## DEPRACIATED STUFF ## "score_bad_code" => "UNUSED", "msg_panic" => "UNUSED", "score_panic_code" => "UNUSED", "score_panic" => "UNUSED", "html_evil_tags" => 'UNUSED', "html_javascript" => 'UNUSED', }; my @default_configs = ( $default_config, ); # Default file-names for unnamed MIME parts. # my $default_filenames = { "text/plain" => "unnamed.txt", "text/html" => "unnamed.html", "image/gif" => "unnamed.gif", "image/jpeg" => "unnamed.jpg", "image/png" => "unnamed.png", "image/tiff" => "unnamed.tiff", "inline/text/plain" => "unnamed.txt", "inline/text/html" => "unnamed.html", "application/ms-tnef" => "winmail.dat", "application/x-ms-dos-executable" => "unnamed.exe", "application/x-msdownload" => "unnamed.exe", }; # This is a list of MIME types, and regular expressions which file-names # are expected to match if that type is being used. # my $default_name_type_checks = { "audio/x-ms-wma" => '(?i).wm[af]$', "audio/x-wav" => '(?i).wav$', "audio/wav" => '(?i).wav$', "audio/x-midi" => '(?i).midi?$', "image/gif" => '(?i).gif$', "image/jpeg" => '(?i).jpe?g$', "image/png" => '(?i).png$', "image/tiff" => '(?i).tiff?$', }; # Default parser hash my $default_parsers = { # Search text parts for inline uuencoded attachments, so we can mangle # their names and possibly scan the attachments themselves. This also # takes care of defanging HTML. "text/*" => \&CleanUnknown, "application/pgp" => \&CleanText, "inline/text/*" => \&CleanUnknown, # Check headers, parse contents... "multipart/*" => \&CleanMultipart, # Sanitize encapsulated messages. "message/rfc822" => \&CleanRFC822, "inline/message/rfc822" => \&CleanRFC822, "message/partial" => \&CleanPartial, # Sanitize contents of MS-TNEF attachments "application/ms-tnef" => \&CleanMS_TNEF, "inline/application/ms-tnef" => \&CleanMS_TNEF, # We don't recognize this content-type, see if we can figure anything # out from the headers themselves. Sanitize headers (at least). "DEFAULT" => \&CleanUnknown, }; # Built in scanners my $default_scanners = { }; ##[ Public interface routines ]############################################### sub new { my ($proto, $name) = @_; my $class = ref($proto) || $proto; my $self = { # Configuration "conf" => { }, "defaults" => [ @default_configs ], "parsers" => { }, "filenames" => { }, "scanners" => { }, # Object globals "log" => new Anomy::Log, "mod_id" => 0, "base_mod_id" => 0, "logd_mod_id" => 0, "mime_depth" => 0, # Common part data, exposed. "common" => undef, "message" => undef, # Have we created any scratch-spaces yet? "scratch-spaces" => 0, # Errors "error" => undef, }; bless ($self, $class); $self->reset_config(); %{ $self->{"parsers"} } = %{ $default_parsers }; %{ $self->{"filenames"} } = %{ $default_filenames }; %{ $self->{"name_type_checks"} } = %{ $default_name_type_checks }; %{ $self->{"scanners"} } = %{ $default_scanners }; return $self; } sub error { my $self = shift; return $self->{"error"}; } # Parses a single line from a configuration file. # Configuration files look like this: # # # this is a comment # # set some variables # variable = value # variable += value # # load another configuration file # /path/to/another/configuration/file # OR: # include /path/to/another/configuration/file # # All white space in the value is replaced with spaces. A " #" sequence # (white space followed by '#') marks the beginning of a comment, and is # ignored. # # The following escape sequences are expanded in the value string to let # you get around these "features": # # \\ -> \ # \# -> # # \n -> newline # \t -> tab # \s -> space # # Using the .= or += instead of just = will append the string to the # variable, instead of resetting it. # my $config_recursion = 0; sub reset_config { my $self = shift; $config_recursion = 0; foreach my $c (@{ $self->{"defaults"} }) { foreach my $v (keys(%{ $c })) { $self->{"conf"}->{$v} = $c->{$v}; } } } sub configure { my $self = shift; my $conf = $self->{"conf"}; while (my $line = shift) { if ($line =~ /^\s*before\s+(\d+)\s+(.*)$/i) { my ($date, $stuff) = ($1, $2); $line = '#'.$line; $line = $stuff if ($date > time()); } if ($line =~ /^\s*after\s+(\d+)\s+(.*)$/i) { my ($date, $stuff) = ($1, $2); $line = '#'.$line; $line = $stuff if ($date <= time()); } if ($line =~ /^\s*([a-z0-9_]+)\s*([\+\.]*=)\s*(.*)\s*$/si) { # OK, this lookes like a variable configuration my ($var, $op, $val) = (lc($1), $2, $3); unless (($var =~ /^var_/i) || (defined $conf->{$var})) { $self->{"error"} .= "Unknown configuration variable: $var\n"; return 1; } $val =~ s/\s+#.*$//; $val =~ tr/\t\n/ /; $val =~ s/\\([\\nts#])/ { $_=$1; tr|\\nts#|\\\012\t #|; $_ } /eg; if ($op eq '=') { $conf->{$var} = $val; } else { $conf->{$var} .= $val; } } elsif ($line !~ /^\s*(#.*)?$/) { # Ooh, we're supposed to include another configuration file! $config_recursion++; if ($config_recursion > $conf->{"max_conf_recursion"}) { $self->{"error"} .= "Configuration files nested too deep!\n"; $config_recursion--; return 2; } my $fn = $line; my $optional = 1 if ($fn =~ s/^\s*(\?|try)\s*//); $fn =~ s/^\s*include\s+//i; $fn =~ s/^\s*(.*)\s*$/$1/; local *CF; unless ((-r $fn) && (open (CF, "< $fn"))) { $config_recursion--; next if ($optional); $self->{"error"} .= "Cannot read $fn: $!\n"; return 3; } my $ln = 0; while (my $cl = ) { $ln++; $cl =~ s/\015?\012$//s; if ($self->configure($cl)) { $config_recursion--; $self->{"error"} .= "[$config_recursion] Error in $fn, line $ln.\n"; $config_recursion--; return 4; } } $config_recursion--; } } if (0 == $config_recursion) { # Side effects of configuration... if ($conf->{"feat_trust_pgp"}) { # Only scan headers of signed stuff, if we decide that we # trust messages that are signed or encrypted. # $self->{"parsers"}->{"multipart/signed"} = \&CleanHeaders; $self->{"parsers"}->{"multipart/encrypted"} = \&CleanHeaders; } # Get a bunch of default filenames from /etc/mime.types $self->load_mime_filenames($conf->{"system_mime_types"}); # Make sure a few config variables are safe for use within # message headers. $conf->{"msg_defanged"} =~ s/[^0-9A-Z-]//gsi; $conf->{"msg_blacklisted"} =~ s/[^0-9A-Z-]//gsi; $conf->{"var_def_charset"} =~ s/[^0-9A-Z-]//gsi; } return undef; } sub get_config_text { my $self = shift; my $conf = $self->{"conf"}; my $cfg = ""; for my $key (sort(keys(%{ $conf }))) { my $val = $conf->{$key}; $key = sprintf("%-20s", $key); $val =~ s/\012/\\n\n$key += $1/g; $val =~ s/\t/\\t/g; $val =~ s/\#/\\#/g; $val =~ s/\\\\/\\/g; # $val =~ s/(.{55})/$1/g; $val =~ s/\+= /+= \\s/g; $val =~ s/ \012/\\s\n/g; $val =~ s/\012\S+\s+[\+\.]?=\s*$//ms; $cfg .= $key ." = ". $val ."\n"; } return $cfg; } sub get_msg { my ($self, $var) = @_; return $self->{"conf"}->{"msg_".lc($var)}; } sub expand_msg { my ($self, $msg) = @_; return $self->expand($self->get_msg($msg)); } sub get_var { my ($self, $var) = @_; return $self->{"conf"}->{"var_".lc($var)}; } sub expand_var { my ($self, $var) = @_; return $self->expand($self->get_var($var)); } sub set_var { my ($self, $var, $value) = @_; $self->{"conf"}->{"var_".lc($var)} = $value; } sub expand { my ($self, $msg) = @_; $msg =~ s/%([A-Z_]+)/ $_=($self->{"conf"}->{"var_".lc($1)} || "%".$1) /ge; return $msg; } sub sanitize { my ($self, $fh_in, $fh_out) = @_; my $conf = $self->{"conf"}; # Create MIMEStream object my $message = Anomy::MIMEStream->New($fh_in, $fh_out, $self->WrappedParsers()); # Record the common data for use by hooks. $self->{"common"} = $message->{"common"}; $self->{"message"} = $message; # Make sure we've already loaded our IO::File module eval 'use '.$conf->{system_io_file}.';'; # What's our newline preference today? if (my $n = $conf->{"feat_newlines"}) { $message->{"newline_out"} = "\012" if ($n == 1); $message->{"newline_out"} = "\015\012" if ($n == 2); $message->{"newline_out"} = "\015" if ($n == 3); $message->{"newline_in"} = undef if ($n == 4); # Default is auto... } # Register this run with the core logger. my $start = time(); $start = 0 if ($conf->{"feat_testing"}); $self->{"log"}->sublog("Sanitizer", SLOG_TRACE, { start => $start }, $message->{"log"}); # Parse message header $message->ParseHeader(); # Log that we've parsed the header - this creates an event allowing # hooks to reconfigure most of the sanitizer based on header data. # WARNING: MIMEStream parsers are NOT reconfigurable at this point. $message->{"log"}->entry("parsed_header", SLOG_TRACE, undef, "Finished parsing message header."); # Initialize modification ID counter. $self->{"mod_id"} = ($$ * 1001) % (10 ** (rand() * 6)); # Disable randomness when testing $self->{"mod_id"} = 99 if ($conf->{"feat_testing"}); # Store initial value for comparisons later. $self->{"base_mod_id"} = $self->{"mod_id"}; $self->{"logd_mod_id"} = $self->{"mod_id"}; # Append blurb to header. { my $t; chomp $message->{"rawheader"}; $message->{"rawheader"} .= $self->expand("$t\012") if ($t = $conf->{"header_info"}); $message->{"rawheader"} .= $self->expand("$t\012") if ($t = $conf->{"header_url"}); $message->{"rawheader"} .= $self->expand("$t\012") if ($t = $conf->{"header_rev"}); for my $n (1..$conf->{"force_headers"}) { my $h = $conf->{"force_header_$n"}; next unless $h; my ($hdr, $val) = split(/:\s+/, $h); unless ($message->{"headers"}->{lc($hdr)}) { $message->{"rawheader"} .= $self->expand("$h\012"); $message->{"log"}->entry("force_header", SLOG_WARNING, { header => $hdr, value => $val }, "Added default value (%value%) for header %header%"); } } $message->{"rawheader"} .= "\012"; } # Force message to be multipart/mixed, if it isn't already that or # plain text which we know we can append a log to. if ((($conf->{"feat_log_after"}) && ($message->{"mime"}->{"_type"} !~ /^multipart\//i)) || (($conf->{"feat_log_inline"} > 1) && ($message->{"mime"}->{"_type"} !~ /^(multipart\/mixed|text\/(plain|html))$/i))) { $message->{"log"}->entry("forced-multipart", SLOG_WARNING, undef, "Forcing message to be multipart/mixed, to facilitate logging."); my $mt = lc($message->{"mime"}->{"_type"}); $message->{"parsers"}->{"ORG/$mt"} = $message->{"parsers"}->{"$mt"}; $message->{"parsers"}->{"$mt"} = sub { return $self->WrapWithMultipart(@_); }; } # Parse everything else! $message->ParseBody(); # Dump log to STDERR if requested, things like that. $self->DumpLog($self->{"log"}, undef, 1); my $changes = ($self->{"mod_id"} - $self->{"base_mod_id"}); return 1 if ($changes > 1000000); # 1000000 is magic ... return 1 if (($conf->{"score_bad"}) && ($changes > $conf->{"score_bad"})); return 0; } sub register_scanner { my $self = shift; my $name = shift; my $scanner = shift; $self->{"scanners"}->{lc($name)} = $scanner; } sub load_mime_filenames { my ($self, $mimetypes) = @_; local *MT; return undef unless open(MT, "< $mimetypes"); while () { if (/^([a-z]\S+)\s+(\S+)/i) { my ($type, $ext) = (lc($1), lc($2)); $self->{"filenames"}->{$type} = "unnamed.$ext" unless (defined $self->{"filenames"}->{$type}); } } close(MT); return 1; } ##[ Helper routines ]########################################################## sub WrappedParsers { my $self = shift; my $wrapped = { }; foreach my $p (keys(%{ $self->{"parsers"} })) { my $c = $self->{"parsers"}->{$p}; $wrapped->{$p} = sub { return &$c($self, @_); }; } return $wrapped; } ##[ Sanitizers, output, etc. ]################################################# # This will print out the contents of $log, if the time looks right. # # Unfortunately, we can't guarantee that the time will /ever/ be right, # so this may fail to embed the logs in the message - they are guaranteed # to go to stderr though. The logs try to be as unobtrusive as possible. # sub DumpLog { my $self = shift; my $plog = shift; my $conf = $self->{"conf"}; my $part = shift; my $finished = shift; my $type = $part->{"mime"}->{"_type"} if ($part); my $inline = (($conf->{"feat_log_inline"}) && ($part)); my $alevel = SLOG_WARNING|SLOG_ERROR; $alevel = SLOG_ALL if ($conf->{"feat_log_trace"}); my $astext = $self->{"log"}->print_as_text($alevel); $inline = 0 if ($astext =~ /^\s*$/); my $ppart; if ($inline) { if ($ppart = $part->{"parent"}) { $inline = 0 if ($ppart->{"parent"}); $inline = 0 if ($ppart->{"mime"}->{"_type"} =~ /^(multipart\/mixed|text\/)/i); $inline = 0 if ($type !~ /^text\/(plain|html)/i); $inline = 0 if ($part->{"sanitizer_dumped_log"}); } } my $prelog = \$conf->{"msg_log_prefix"}; my $signature = ""; $signature = $conf->{"msg_signature"} unless ($conf->{"feat_testing"}); print STDERR "DumpLog: inline=$inline finished=$finished\n" if ($ENV{SANITIZER_DEBUG}); if (($inline || $finished) && ($self->{"logd_mod_id"} != $self->{"mod_id"})) { # Record total changes (so far). $self->{"logd_mod_id"} = $self->{"mod_id"}; $plog->entry("modifications", SLOG_INFO, { base => $self->{"base_mod_id"}, end => $self->{"mod_id"}, # Scores of >1000000 are magic, used by ! policies. total => ($self->{"mod_id"}-$self->{"base_mod_id"}) % 1000000 }, "Total modifications so far: %total%"); } if ($inline) { $alevel |= SLOG_INFO; if ($type =~ /^multipart\/mixed/i) { $part->WriteText("\n") unless ($part->{"Wrote_NL"}); $part->WriteText( $part->{"mime"}->{"_boundpre"}. $part->{"mime"}->{"boundary"} ."\n". "Content-Type: ". $conf->{"sanitizer_log_type"} ."\n". "Content-Transfer-Encoding: 8bit"."\n". "Content-Disposition: ". $conf->{"sanitizer_log_disp"} ."\n"); if (my $size = $conf->{"feat_log_after"}) { $part->WriteText($self->CreateScratchSpace($part->{"log"}, $size)); } if ($conf->{"feat_log_inline"}) { $part->WriteText("\n"); if ($conf->{"feat_log_xml"}) { $part->WriteText("\n \n".$self->expand($$prelog)."\n \n"); $part->WriteText($self->{"log"}->print_as_xml($alevel)); $part->WriteText($self->expand(" \n$signature\n \n\n")); print STDERR "DumpLog: dumped as XML.\n" if ($ENV{SANITIZER_DEBUG}); } else { $part->WriteText($self->expand($$prelog)."\n"); $part->WriteText($self->{"log"}->print_as_text($alevel)); $part->WriteText($self->expand("\n$signature\n")); print STDERR "DumpLog: dumped as text.\n" if ($ENV{SANITIZER_DEBUG}); } } else { # No log, we're adding logs after the fact in scratch spaces. $part->WriteText("\n\n"); print STDERR "DumpLog: not dumping logs: no thanks!\n" if ($ENV{SANITIZER_DEBUG}); } $part->{"sanitizer_dumped_log"} = 1; } elsif (($conf->{"feat_log_inline"} > 1) && ($ppart)) { # Do nothing, we know a multipart opportunity will show # up eventually. :-) print STDERR "DumpLog: not dumping logs: expect multipart.\n\n" if ($ENV{SANITIZER_DEBUG}); } elsif ($type =~ /^(text\/plain|application\/pgp)/i) { $part->WriteText($self->expand("\n-- \n$$prelog\n")); $part->WriteText($self->{"log"}->print_as_text($alevel)); $part->WriteText($self->expand("\n$signature\n")); $part->{"sanitizer_dumped_log"} = 1; print STDERR "DumpLog: dumped inline as text.\n" if ($ENV{SANITIZER_DEBUG}); } elsif ($type =~ /^text\/html/i) { $part->WriteText($self->expand("

$$prelog

\n")); $part->WriteText($self->{"log"}->print_as_html($alevel, "", "black")); $part->WriteText($self->expand("

$signature

\n")); $part->{"sanitizer_dumped_log"} = 1; print STDERR "DumpLog: dumped inline as HTML.\n" if ($ENV{SANITIZER_DEBUG}); } else { print STDERR "DumpLog: fell through, no space for log!\n" if ($ENV{SANITIZER_DEBUG}); } } if (($finished) && ($conf->{"feat_log_stderr"})) { $alevel |= SLOG_INFO; if ($conf->{"feat_log_xml"}) { print STDERR $self->{"log"}->print_as_xml($alevel); } else { print STDERR $self->{"log"}->print_as_text($alevel); } } } # This will create a new file based on the "file_name_tpl" template. # Returns undef on failure. # my $caf_inc = 0; my @charray = ('A'..'Z', 0..9); sub CreateAttFile { my $self = shift; my $conf = $self->{"conf"}; my $fn = shift; my $ofn = shift; my $fh = undef; my $cnt = 0; # This is the file name we use on disk - keep it as simple as possible. $ofn = Anomy::MIMEStream::Encode7bit(undef, $ofn); $ofn =~ s/[^A-Za-z0-9\.-]/_/gs; # Keep it short! $ofn =~ s/_+/_/g; $ofn =~ s/^.*(.{80})$/$1/; do { my $T = time(); my ($S, $M, $H, $d, $m, $y, $wd, $yd) = localtime($T); $$fn = $conf->{"file_name_tpl"} || return undef; # Date stuff $$fn =~ s/\$T/ sprintf("%x", $T) /eg; $$fn =~ s/\$S/ sprintf("%2.2d", $S) /eg; $$fn =~ s/\$M/ sprintf("%2.2d", $M) /eg; $$fn =~ s/\$H/ sprintf("%2.2d", $H) /eg; $$fn =~ s/\$d/ sprintf("%2.2d", $d) /eg; $$fn =~ s/\$m/ sprintf("%2.2d", $m + 1) /eg; $$fn =~ s/\$y/ sprintf("%2.2d", $y % 100) /eg; $$fn =~ s/\$Y/ sprintf("%d", $y + 1900) /eg; $$fn =~ s/\$w/ sprintf("%d", $wd) /eg; $$fn =~ s/\$j/ sprintf("%03d", $yd + 1) /eg; # PID $$fn =~ s/\$P/ sprintf("%x", $$) /eg; # Safe file name $$fn =~ s/\$F/$ofn/g; # Random characters if ($conf->{"feat_testing"}) { $$fn =~ s/\$/ $charray[ ($caf_inc++ % 35) ] /eg; } else { $$fn =~ s/\$/ $charray[ int(rand(35.99)) ] /eg; } eval '$fh = '.$conf->{system_io_file}.'->new($$fn, O_CREAT|O_EXCL|O_RDWR);'; } while (($cnt++ < 5) && (!defined $fh)); # FIXME: This is better than the old cryptic error, but we really # should just return undef and let the caller handle things. # Unfortunately, when I tested that it caused unpredictable cleanup # behavior if file-name templates were non-unique. # die "Failed to create $$fn: $!\n". "HINT: Make sure file_name_tpl suggests file names in a directory\n". " which exists and is writable by the Sanitizer.\n" unless (defined ($fh)); binmode($fh); return $fh; } # Zero out scan result variables, just in case sub ResetScanFileVariables { my $self = shift; foreach my $k (grep(/^filescan-/i, keys(%{ $self }))) { $self->{$k} = undef; } } # Scan a file for viruses, using the given command string. # sub ScanFile { my $self = shift; my $plog = shift; my ($e1, $e2, $e3, $cmd) = split(/:/, shift, 4); my $filename = shift; my $fh = shift; my $md5x2 = shift; # This is a double MD5 sum of the attachment data. my $fnp = shift; return 0 unless (defined $cmd); my $log = $plog->sublog("ScanFile", SLOG_TRACE, { file => $filename }); my @args = map { $_ =~ s/%FILENAME/$filename/gi; $_ =~ s/%ATTNAME/$$fnp/gi; $_ =~ s/%REPLY_TO/$self->{common}->{"reply-to"}/gi; $_ =~ s/%ERRORS_TO/$self->{common}->{"errors-to"}/gi; $_ =~ s/%HEADER\(([a-z_-]+)\)/$self->{common}->{headers}->{$1}/gi; $_ } split(/\s+/, $cmd); my $spid = undef; my $sleeps = 0; my $result = -9999; $log->entry("command", SLOG_TRACE|SLOG_DEBUG, undef, $cmd); # Use built-in scanner if requested. if (lc($args[0]) =~ /^builtin\/?(.*)$/) { my $cmd = $self->{"scanners"}->{lc($1)}; my $junk = shift @args; $result = (256 * &$cmd($self, $log, $fh, $md5x2, @args)) if (defined $cmd); } else { # Flush buffers, before forking. STDOUT->flush(); STDERR->flush(); do { unless (defined ($spid = open(SCANNER, "-|"))) { $log->entry("error", SLOG_ERROR, { text => "$!" }, "Cannot fork: %text%"); return 3 if ($sleeps++ > 6); sleep(10); } } until (defined $spid); if (!$spid) # Are we the kid? { print STDOUT "Scan cmd: ", join(' ', @args), "\n"; # We want the scanner's stderr to be sent to stdout! close(STDERR) && open(STDERR, ">&STDOUT") || print STDOUT "WARNING: Couldn't dup STDOUT!\n"; STDOUT->flush(); unless (exec { $args[0] } @args) { print STDOUT "Exec failed: $!\n"; die "Exec failed: $!"; } } # Not the kid, read the scanner's output. while (my $l = ) { if ($l =~ /^anomy-(filescan-\S+):\s+(.*)\s*$/i) { print STDERR "*** Got $1 = $2\n"; $self->{lc($1)} = $2; } $log->entry("output", SLOG_TRACE|SLOG_DEBUG, undef, $l); } close (SCANNER); $result = $self->{"filescan-result"} || $?; } my $rs = $self->{"filescan-summary"}; my $rt = $self->{"filescan-description"}; # Was file clean? for my $v (split(/,/, $e1)) { if ($result == (256 * $v)) { $log->entry("result", SLOG_INFO, { summary => $rs || "clean", code => $result }, $rt || "Scan succeeded, file is clean."); return 0; } } # Was file dirty, but is now clean? for my $v (split(/,/, $e2)) { if ($result == (256 * $v)) { $log->entry("result", SLOG_WARNING|SLOG_INFO, { summary => $rs || "disinfected", code => $result }, $rt || "File was infected, but the virus checker fixed it."); return 1; } } # Was file dirty and unfixable? for my $v (split(/,/, $e3)) { if ($result == (256 * $v)) { $log->entry("result", SLOG_WARNING|SLOG_INFO, { summary => $rs || "infected", code => $result }, $rt || "File was infected, the virus checker couldn't fix it."); return 2; } } $log->entry("result", SLOG_WARNING|SLOG_INFO|SLOG_ERROR, { summary => $rs || "error", code => $result }, $rt || "Unknown exit code: %code%"); return 3; } # Clean/scan a file, sanitize the file name. # # This will change the part's reader pointer to point to a virtual on-disk # part, if a virus scanner is used. # sub SanitizeFile { my ($self, $part, $mime) = @_; my $conf = $self->{"conf"}; my $unknown = undef; my $fnp = \$unknown; my $typep = \$unknown; my $minc = 0; for my $fhn ("name", "filename") { $fnp = \$mime->{$fhn} if ($mime->{$fhn}); } $typep = \$mime->{"_type"} if ($mime->{"_type"}); # Don't apply rules to multipart or message parts, or inline # parts (e.g. forwarded messages). return undef if ($$typep =~ /^m(ultipart|essage)\//i); my $log = new Anomy::Log; $self->ResetScanFileVariables(); # If no file name is specified, create one from the MIME type. if (!defined $$fnp) { my $t = $self->{"filenames"}->{lc($$typep)}; $t = $conf->{"file_default_filename"} if (!defined $t); $fnp = \$t if ($t); # Abort if the part still has no file name. return undef unless ($$fnp); # Forcibly add a file name to unnamed parts? if (($conf->{"feat_force_name"}) && ($part->{"mime"}->{"_type"}) && ($part->{"mime"}->{"_type"} !~ /^(inline\/)?text\/(plain|html)/i)) { $part->{"mime-headers"}->{"content-type"} .= " name"; $mime->{"name"} = $t; $fnp = \$mime->{"name"}; $minc = 1 unless ($minc); $log->entry("default_name", SLOG_INFO, { default => $t }, "No attachment name found, using default (%default%)."); } } # Get a list of all possible file names for this attachment my @filenames = map { ($_->{"data"}, $_->{"raw"}) } $part->GetMIMEAttributes('(?i)^(file)?name$'); push @filenames, $$fnp; # Make sure the list doesn't repeat itself. my $l = undef; @filenames = grep { ($_ ne $l) && ($l = $_) } sort @filenames; my %filenames = map { $_ => 1 } @filenames; # Perform basic magic on the first few bytes of data and check the # filetype integrity based on that. Add names to the list of # filenames we check. my $part_readahead = $part->Readahead(512); my ($unused, $unused, $unused, @types) = check_file_type( mime_type => $$typep, snippet => $part_readahead ); foreach my $t (@types) { my $name = "filetype.".$t->{id}; push @filenames, $name; $filenames{$name} = 1; } # Look even harder... if ($conf->{"feat_mime_files"}) { my @mimetypes = map { ($_->{"data"}, $_->{"raw"}) } $part->GetMIMEAttributes('(?i)^_type$'); foreach my $t (@mimetypes) { my $name = $self->{"filenames"}->{lc($t)}; if ($name && !$filenames{$name}) { push @filenames, $name; $filenames{$name} = 1; } } } # And keep looking harder... foreach my $h ("_description", "_id") { foreach my $v (map { ($_->{"data"}, $_->{"raw"}) } $part->GetMIMEAttributes("(?i)^$h\$")) { $v = $1 if ($v =~ /^<+(.*?)>+\s*$/); # Skip @foo.com type names, they shouldn't match anyway. next if ($v =~ /\@\S+\.com$/i); if (($v =~ /\./) && (!$filenames{$v})) { push @filenames, $v; $filenames{$v} = 1; } } } my $filenames = join(', ', @filenames); # Insert our log into part log. $part->{"log"}->sublog("SanitizeFile", SLOG_TRACE, { filename => $filenames, mimetype => $$typep, }, $log); # Store original file name & type, initialize other variables. my $ofn = $$fnp; my $attname = $$fnp; my $otype = $$typep; my $pol = undef; my @matched = ( ); my $fh = undef; my $filename = undef; my $scanned = 0; # Check policies... my @rules = (0..$conf->{"file_list_rules"}, "default"); my $rec = 0; my $ip = 1; while (($ip > 0) && ($ip < @rules) && ($rec++ < (@rules * 2))) { my $i = $rules[$ip]; $ip++; next unless (($i eq "default") || ($conf->{"file_list_$i"})); $log->entry("Check_Rule", SLOG_TRACE, { rule => $i, list => $conf->{"file_list_$i"} }, "Rule %rule%: %list%") if ($i ne "default"); if (($i eq "default") || (my @fn_match = grep { $_ =~ $conf->{"file_list_$i"} } @filenames)) { $ofn = $$fnp = $fn_match[0] if (@fn_match && ($ofn eq $$fnp)); my %fn_match = ( names => join(', ', @fn_match)) if (@fn_match); my $mlog = $log->sublog("Match", SLOG_INFO, { rule => $i, %fn_match }); push @matched, $i; my @policy = split(":", $conf->{"file_default_policy"}); @policy = split(":", $conf->{"file_list_${i}_policy"}) if ($conf->{"file_list_${i}_policy"}); my $scan_result = 0; if ((@policy == 1) && (lc($policy[0]) =~ /^drop\!?$\s*/)) { while ($part->Read()) { }; } elsif ((@policy == 4) || (lc($policy[0]) =~ /^save\!?\s*$/)) { # Create a file name from our template. my $ofh = $fh; if (($fh) || ($fh = $self->CreateAttFile(\$filename, $$fnp))) { my $md5_1 = new Digest::MD5; my $md5_2 = new Digest::MD5; $md5_2->add("Shift!"); my $size = 0; if (!$ofh) { # Save the attachment to disk... while (my $l = $part->Read()) { # FIXME: need better error handling! $fh->print($l) || die; $md5_1->add($l); $md5_2->add($l); $size += length($l); } $fh->flush(); } # Log stuff. my $dig = $md5_1->hexdigest().$md5_2->hexdigest(); $mlog->entry("saved-file", SLOG_TRACE, { file => $filename, digest => $dig, size => $size }, "Saved attachment as %file% (%size% bytes, digest %digest%)."); # We want to scan this attachment if (@policy == 4) { $scan_result = $self->ScanFile($mlog, $conf->{"file_list_${i}_scanner"}, $filename, $fh, $dig, $fnp); $scanned = 1; if ($scan_result == 1) { # File was disinfected, message will be modified # one way or another. $minc = 1 unless ($minc); } if (my $n = $self->{"filescan-newfile"}) { print STDERR "*** New file! $n\n"; my $nfh; eval '$nfh = new '.$conf->{system_io_file}.' "<$n";'; if ($nfh) { $fh = $nfh; $filename = $n; $mime->{"_encoding"} = "Base64"; $part->{"encoder"} = $part->{"encoders"}->{"base64"};; $minc = 1 unless ($minc); } } if (my $n = $self->{"filescan-newname"}) { $n =~ s,^.*/,,g; $$fnp = $n; $minc = 1 unless ($minc); } if (my $t = $self->{"filescan-newtype"}) { $mime->{"_type"} = $t; $minc = 1 unless ($minc); } if (my $enc = $self->{"filescan-newenc"}) { unless ($part->{"encoder"} = $part->{"encoders"}->{lc($enc)}) { $enc = 'Base64'; $part->{"encoder"} = $part->{"encoders"}->{lc($enc)}; } $mime->{"_encoding"} = $enc; $minc = 1 unless ($minc); } } } else { # Error :( $mlog->entry("error", SLOG_WARNING|SLOG_INFO|SLOG_ERROR, undef, "Failed to create temporary file for scanning attachment!"); $scan_result = 3; } } $pol = lc($policy[$scan_result]) || "defang"; $pol =~ s/\s*$//g; # Branching is cool. $ip = $1 if ($pol =~ s/\^(\d+)$//); # 1000000 is magic... $minc = 1000001 if ($pol =~ s/\!$//); my $llev = SLOG_INFO; $llev |= SLOG_WARNING if ($pol !~ /accept/i); $mlog->entry("policy", $llev, { name => $pol }, "Enforced policy: %name%"); # Enforce policy, based on scan result. if ($pol eq "mangle") { $minc = 1 unless ($minc); $$fnp = $conf->{"msg_blacklisted"} .".". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $$typep = "application/". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $mime->{"_id"} = "<".$conf->{"msg_defanged"} ."-".$self->{"mod_id"}.">"; } elsif ($pol eq "defang") { $minc = 1 unless ($minc); $$fnp =~ s/\./_/g; $$fnp .= ".". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $$typep = "application/". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $mime->{"_id"} = "<".$conf->{"msg_defanged"} ."-".$self->{"mod_id"}.">"; } elsif ($pol =~ /^(drop|save|panic)$/i) { $minc = 1 unless ($minc); my $what = $1; my $fn = $filename; $fn =~ s/^.*\///g; # Make info available to the replacement template code. $conf->{"var_checkedname"} = $$fnp; $conf->{"var_filename"} = $attname; $conf->{"var_savedname"} = $fn; $conf->{"var_virusname"} = $self->{"filescan-virusname"}; $conf->{"var_summary"} = $self->{"filescan-summary"}; $conf->{"var_description"} = $self->{"filescan-description"}; # This keeps the file from getting reincluded. while ($part->Read()) { }; $fh = undef; # Replace it with our "file deleted" message. my $msg = $self->expand_msg("file_". lc($what)); my $eol = $part->{"EOL"}; $msg =~ s/\n/$eol/gs; $part->UnRead($msg); # Fix encoding etc. $mime->{"_encoding"} = "8bit"; $mime->{"charset"} = $conf->{"var_def_charset"}; $mime->{"_disposition"} = "inline"; $mime->{"_id"} = "<".$conf->{"msg_defanged"} ."-".$self->{"mod_id"}.">"; $part->{"encoder"} = $part->{"encoders"}->{"8bit"}; if ($part->{"uupart"}) { $part->{"postponed"} = undef; $part->{"rawheader"} = undef; $part->{"uupart"} = 0; } $$typep = "text/plain"; $$fnp = $conf->{"msg_defanged"} ."-".$self->{"mod_id"}.".txt"; # Make sure our modifications are actually used! $part->{"mime-headers"}->{"content-type"} = "_type charset"; $part->{"mime-headers"}->{"content-type"} .= " name" if ($mime->{"name"}); $part->{"mime-headers"}->{"content-transfer-encoding"} = "_encoding"; $part->{"mime-headers"}->{"content-disposition"} = "_disposition"; $part->{"mime-headers"}->{"content-disposition"} .= " name" if ($mime->{"name"}); # This may keep the file from getting deleted. $filename = undef if ($pol eq "save"); } if (defined $fh) { # Prepare to re-read attachment from disk. # I suppose this is bad OO-form. $fh->seek(0, SEEK_SET); $part->ReadFrom($fh); } # Keep trying? next if ($pol eq "unknown"); # Keep trying? if ($pol eq "warn") { $minc = 1 unless ($minc); next; } # Done! last; } } # Cleanup. unlink $filename if ($filename); # Ensure the file name matches the content and MIME type if (($conf->{"feat_sane_names"}) && ((!$ofn) || ($$fnp eq $ofn))) { my $check = undef; my $bad_name = 0; my ($is_evil, $is_suspicious) = check_file_type( mime_type => $$typep, file_names => [ $$fnp ], snippet => $part_readahead ); if ($is_evil || $is_suspicious) { $log->entry("content_mismatch", SLOG_INFO, { file => $$fnp, type => $$typep }, "File name doesn't match file contents, defanging."); $bad_name = 1; } elsif (($check = $self->{"name_type_checks"}->{lc($$typep)}) && ($$fnp !~ $check)) { $log->entry("mime-type_mismatch", SLOG_INFO, { file => $$fnp, type => $$typep }, "File name doesn't match MIME type, defanging."); $bad_name = 1; } if ($bad_name) { $$fnp =~ s/\./_/g; $$fnp .= ".". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $$typep = "application/". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; } } # Remove spooky characters from file name. if (my $clist = $conf->{"file_characters"}) { $$fnp =~ s/[^$clist\.-]/_/g; } # Truncate file name length, by chopping off anything preceding the # last 80 characters - the extension matters more than the beginning # of the name. $minc = 1 if (($$fnp =~ s/^.*(.{80})$/$1/) && (!$minc)); # Format the list of rules matched. my $matches = join(", ", @matched); $matches =~ s/-1/default/; if (($ofn) && ($$fnp ne $ofn)) { $minc = 1 unless ($minc); # Mangle x-mac-* headers if present, so Eudora won't work # around the mangling. if ($part->{"rawheader"} =~ s/^x-mac/X-$conf->{"msg_defanged"}\[$self->{"mod_id"}\]-MAC/gim) { $log->entry("defanged-x-mac", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Defanged part's X-Mac headers."); } # Change the description of the part as well... if (defined $mime->{"_description"}) { $mime->{"_description"} = "Renamed from '$ofn' to '$$fnp'"; } # Log change... $log->entry("new-mimetype", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, value => $$typep }, "Replaced mime type with: %value%") if (($otype) && ($otype ne $$typep)); $log->entry("new-filename", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, value => $$fnp }, "Replaced file name with: %value%"); } if ($mime->{"filename"}) { $mime->{"name"} = $mime->{"filename"}; } # Increment modification ID. $self->{"mod_id"} += $minc; } # Truncate just about anything, printing out a blurb at the same # time. The fourth argument is a replacement value to use instead # of the overly-long original one. Omitting it just truncates the # field. # sub Truncate { my $self = shift; my $dataname = shift; my $data = shift; my $maxlen = shift; my $safeval = shift; my $log = shift; if ($maxlen < length($$data)) { $safeval = substr($$data, 0, $maxlen) unless ($safeval); $log->entry("truncated", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, what => $dataname, old => $$data, new => $safeval, max => $maxlen }, "Rewrote long ( >%max% bytes ) %what% from:\n". " >>%old%<<\n". " to >>%new%<<"); $self->{"mod_id"}++; $$data = $safeval; } } # This routine will truncate and rewrite message headers, to block # buffer-overflow exploits and filename-based trojans. # sub SanitizeHeaders { my $self = shift; my $conf = $self->{"conf"}; my $part = shift; my $boundfix = shift; my $writer = $part->{"writer"} || $part; my $headers = $part->{"headers"}; my $mime = { }; my $eol = $writer->{"EOL"}; # Copy headers... foreach my $key (keys(%{ $part->{"mime"} })) { $mime->{$key} = $part->{"mime"}->{$key}; } my $old_mod_id = $self->{"mod_id"}; my $log = $part->{"log"}; # Header length checks, more strict than the generic tests below. if ($conf->{"feat_lengths"}) { $self->Truncate("MIME content-type", \$mime->{"_type"}, 80, "application/octet-stream", $log); $self->Truncate("MIME charset", \$mime->{"charset"}, 40, $conf->{"var_def_charset"}, $log); $self->Truncate("MIME encoding", \$mime->{"_encoding"}, 40, "8bit", $log); # Make sure subject line is of a reasonable length, if it looks # remotely like it contains a file name. if (($headers->{"subject"} =~ /\.[A-Za-z0-9]+/) && (length($headers->{"subject"}) > 256)) { my $s = $writer->DecodeHeader($headers->{"subject"}); chomp $s; $s =~ s/[ \t]+/ /g; $s =~ s/^.*(.{150,150})$/$1/s; $s = $writer->EncodeHeader($s).$eol; $writer->{"rawheader"} =~ s/(Subject:.*?)\Q$headers->{"subject"}\E/$1$conf->{"msg_defanged"}\[$self->{"mod_id"}] $s/si; $s = $headers->{"subject"}; chomp $s; $log->entry("truncated-subject", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, value => $s }, "Truncated long subject line:\n >>%value%<<"); $self->{"mod_id"}++; } # This is more strict than the following header scan, and is # designed to explicitly defang the Outlook Date: overflow. if ($writer->{"rawheader"} =~ s/(\nDate:\s*[^\012]{65,65})([^\012]+)/$1\012X-$conf->{"msg_defanged"}-Date: [$self->{"mod_id"}] $2/gs) { $log->entry("split-date", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Split unusually long Date: header."); $self->{"mod_id"}++; } # This will limit the length of each individual word in the headers # to 256 characters, inserting a text marker and spaces when longer # words are encountered. This is designed to foil attacks based on # vulnerabilities like those described in various bugtraq posts # in July 2000, including the USSR-2000050 advisory. # my $spaces = " " x (1 + rand()*7); $spaces = " " if ($conf->{"feat_testing"}); if ($writer->{"rawheader"} =~ s/(\S{256,256})/$conf->{"msg_defanged"}\[$self->{"mod_id"}]:$1$2 "$spaces" /gs) { $log->entry("split-words", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Split unusually long word(s) in header."); $self->{"mod_id"}++; } } # File name sanity checks... if ($conf->{"feat_files"}) { $self->SanitizeFile($part, $mime); } # Add missing boundary definitions to headers, if possible. if (($conf->{"feat_fixmime"}) && ($mime->{"_type"} =~ m"^multipart/"i) && (!defined($mime->{"boundary"})) && (my $bound = $part->GuessBoundary())) { $mime->{"boundary"} = $bound; $mime->{"_boundpre"} = "--"; $mime->{"undecoded-boundary"} = $bound; $part->{"mime-headers"}->{"content-type"} .= " boundary"; $log->entry("missing-boundary", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, new => $mime->{"boundary"} }, "MIME boundary missing, guessed: >>%new%<<"); $self->{"mod_id"}++; } # Replace MIME type if we have exceeded our maximum nesting level. if (($self->{"mime_depth"} >= $self->{"conf"}->{"max_mime_depth"}) && ($mime->{"_type"} =~ m"^multipart/"i)) { $mime->{"_type"} = "application/". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $mime->{"boundary"} = undef; $log->entry("multipart-depth", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Exceeded maximum allowed MIME nesting depth."); $self->{"mod_id"}++; } # Replace the boundary string: we know ours is sane! :-) if ((($conf->{"feat_boundaries"}) || ($mime->{"boundary"} eq "") || (($conf->{"feat_fixmime"}) && ($mime->{"undecoded-boundary"} =~ /[\(\)]/))) && ($boundfix) && (defined $mime->{"boundary"})) { $part->{"bad-mime-boundary"} = $mime->{"boundary"}; if ($conf->{"feat_testing"}) { $mime->{"boundary"} = "MIMEStream=_+testing".$self->{"mod_id"}; } else { $mime->{"boundary"} = Anomy::MIMEStream::MakeBoundary(); } $mime->{"_boundpre"} = "--"; $log->entry("replaced-boundary", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, old => $part->{"bad-mime-boundary"}, new => $mime->{"boundary"} }, "Replaced MIME boundary: >>%old%<<\n". " with: >>%new%<<"); $self->{"mod_id"}++; } # Fix encoding of output so it conforms to MIME standard. if (($conf->{"feat_fixmime"}) && (!$part->{"uupart"}) && ( ( ($mime->{"_type"} =~ m"^m(ultipart|essage)/"i) && ($mime->{"_encoding"} !~ /^([78]bit|binary)$/i) ) || ( ($conf->{"feat_log_after"}) && ($mime->{"_type"} =~ m"text/"i) && ($mime->{"_encoding"} !~ /^([78]bit|binary|quoted-printable)$/i) ) )) { if (my $e = $part->{"encoders"}->{ "8bit" }) { $log->entry("fixed-encoding", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, type => $mime->{"_type"}, encoding => $mime->{"_encoding"} }, "Fixed invalid/unusable part encoding."); $self->{"mod_id"}++; $mime->{"_encoding"} = "8bit"; $part->{"encoder"} = $e; $eol = $part->{"EOL"} = $writer->{"EOL"} = $part->{"ENCODED_EOL"}; } else { $log->entry("error-encoding", SLOG_WARNING|SLOG_INFO|SLOG_ERROR, undef, "Couldn't fix part invalid encoding!"); } } # Some stupid windows clients encode binary data using quoted-printable. # Try and fix it. #FIXME # if (($conf->{"feat_fixmime"}) && # ($part->{"_encoding"} =~ /quoted/i) && # ($part->{"_filename"} !~ //)) # { # # } if (($conf->{"feat_no_partial"}) && (lc($mime->{"_type"}) eq "message/partial")) { $log->entry("defanged-partial", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, type => $mime->{"_type"}, encoding => $mime->{"_encoding"} }, "Defanged dangerous message/partial encoding."); $mime->{"_type"} = "application/". $conf->{"msg_defanged"} ."-".$self->{"mod_id"}; $self->{"mod_id"}++; } # Rebuild the MIME headers with sane/safe values. my $newheaders = ""; for my $header ("Content-Type", "Content-Transfer-Encoding", "Content-Disposition", "Content-Description", "Content-ID") { next unless (defined $headers->{lc($header)}); my @fields = split(/\s+/, $part->{"mime-headers"}->{lc($header)} ); my $t = undef; for my $field (@fields) { my $value = $mime->{lc($field)}; $self->Truncate("MIME $field", \$value, 100, undef, $log) if ($conf->{"feat_lengths"}); my $oval = $value; if ($value =~ /^\s*$/) { $log->entry("dropped-mime", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, field => $field }, "Dropped empty MIME field: %field%"); $self->{"mod_id"}++; } else { if ((($conf->{"feat_paranoid"}) && ($value =~ s/[\'\"\`\$]/_/g)) || # Rewrite mime type if it contains illegal chars. (($conf->{"feat_fixmime"}) && ($field eq "_type") && ($value =~ s/[^A-Za-z0-9\/\.\+_-]/_/g))) { $log->entry("rewrote-mime", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, field => $field, old => $oval, new => $value }, "Rewrote MIME field %field% as\n". " >>%new%<< (was >>%old%<<)"); $self->{"mod_id"}++; } if ($t) { my $v = $part->EncodeHeader($value); $v = "\"$v\"" if ($v !~ /^[a-zA-Z0-9]+$/); # Quote? $t .= "; $field=$v"; } else { $t = $value; } } } $newheaders .= $header .": ". $t ."\012"; # Modifying the $headers directly here should be okay, since we are # inserting equivalent values (not identical) unless new bugs are # found, in which case the raw headers will be updated. $headers->{lc($header)} = $t; } # Add scratch space if necessary... if ((my $size = $conf->{"feat_log_after"}) && ($mime->{"_type"} =~ /text\//i)) { $newheaders .= $self->CreateScratchSpace($log, $size); } # Only modify part header if absolutely necessary. if (($conf->{"feat_boundaries"}) || ($self->{"mod_id"} > $old_mod_id)) { $writer = Anomy::MIMEStream->Writer($writer, $mime); $writer->KillRawMimeHeaders(); $writer->{"rawheader"} =~ s/\s*$//s; $writer->{"rawheader"} .= "\012" if ($writer->{"rawheader"} ne ""); if (!$writer->{"parent"}) { $writer->{"rawheader"} .= "MIME-Version: 1.0\012"; $headers->{"mime-version"} = "1.0\012"; } $writer->{"rawheader"} .= $newheaders . "\012"; } # Check for stupid -in headers Outlook exploit... # Internally we always use , so this shouldn't be a problem. if (($conf->{"feat_fixmime"}) && ($writer->{"rawheader"} =~ s/\015/ $conf->{"msg_defanged"}\[$self->{"mod_id"}] /gs)) { $log->entry("cr-in-header", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, url => "http://www.openoffice.nl/special_interest/outlookbug.html" }, "Bare CR removed from header (re: %url%)"); $self->{"mod_id"}++; } # Remove any active HTML from header. if ($conf->{"feat_html"}) { my %html_cfg = ( ); eval "%html_cfg = (". $conf->{"html_cleaner_header"} .")" if ($conf->{"html_cleaner_header"}); my $html_cleaner = new Anomy::HTMLCleaner { Log => $log, ModCounter => \$self->{"mod_id"}, DefangString => $conf->{"msg_defanged"}, NoWebBugs => $conf->{"feat_webbugs"}, NoExeLinks => $conf->{"feat_html_noexe"}, UnkownTagsOK => $conf->{"feat_html_unknown"}, Paranoid => $conf->{"feat_html_paranoid"}, %html_cfg }; my $rhl = $html_cleaner->clean(\$writer->{"rawheader"}); $writer->{"rawheader"} .= $rhl; } } sub CreateScratchSpace { my ($self, $log, $size) = @_; my $sid = sprintf("%8.8x%8.8x", rand()*0xFFFFFFFF, rand()*0xFFFFFFFF); $sid = "SCRATCH_".$self->{"mod_id"} if ($self->{conf}->{feat_testing}); $log->entry("scratch-space", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, size => $size, sid => $sid }, "Added %size% bytes of scratch space."); $self->{"scratch-space"}++; $self->{"mod_id"}++; return "Content-Junk: $sid ".("X" x $size)."\012"; } ##[ Parsers ]################################################################## # Wrap a part in a multipart/mixed wrapper. # sub WrapWithMultipart { my $self = shift; my $conf = $self->{"conf"}; my $part = shift; my $reader = $part; $part->{"log"}->entry("parser", SLOG_TRACE, undef, "WrapWithMultipart"); # Create a new boundary string my $bound = Anomy::MIMEStream::MakeBoundary(); $bound = "Test_Wrapper_Boundary" if ($conf->{"feat_testing"}); # Update headers my $old = $part->KillRawMimeHeaders(); $old =~ s/^mime-version:.*?\012//mi; # Buffer hacks. This is terribly ugly code. $part->{"EncodeBase64"} = undef; my $buf = "--".$bound.$old."\012\012"; $buf .= &{ $part->{"encoder"} }($part, $part->{"IOBuffer"}); $buf .= &{ $part->{"encoder"} }($part, undef); # Hack to handle internal state in Base64 decoder. if ($part->{"DecodeBase64"}) { $buf .= $part->{"DecodeBase64"}; } $part->{"DecodeBase64"} = undef; $part->{"IOBuffer"} = $buf; $part->{"EOL"} = $part->{"ENCODED_EOL"}; # Fix parser table my $mt = lc($part->{"mime"}->{"_type"}); $part->{"parsers"}->{"$mt"} = $part->{"parsers"}->{"ORG/$mt"}; # Create writer my $w = Anomy::MIMEStream->Writer($part, { "boundary" => $bound, "_boundpre" => "--", "_type" => "multipart/mixed", "_encoding" => "8bit", "_version" => "1.0", },{ "mime-version" => "_version", "content-type" => "_type boundary", "content-transfer-encoding" => "_encoding", }); # Header hack, to save a few cycles. $part->{"mime"} = $w->{"mime"}; $part->{"mime-headers"} = $w->{"mime-headers"}; undef $part->{"mime-headers"}->{"content-disposition"}; # Log hack $part->{"log"} = $w->{"log"}; # Encoding hack. $w->{"EncodeBase64"} = $part->{"EncodeBase64"} = undef; $w->{"DecodeBase64"} = $part->{"DecodeBase64"} = undef; $part->{"decoder"} = \&Anomy::MIMEStream::Decode8bit; $part->{"encoder"} = \&Anomy::MIMEStream::Encode8bit; return $self->CleanMultipart($part); } # This sanitizes a text part, and it's headers. # sub CleanText { my $self = shift; my $conf = $self->{"conf"}; my $html_cleaner = undef; my $part = shift; my $reader = $part; $part->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanText"); my $eol = $part->{"EOL"}; my $ishtml = 0; if (($part->{"mime"}->{"filename"} =~ /html?$/i) || ($part->{"mime"}->{"name"} =~ /html?$/i) || ($part->{"mime"}->{"_type"} =~ /html?$/i)) { $ishtml = 1; } my $in_trusted_text = 0; $in_trusted_text = 100 if (($conf->{"feat_trust_pgp"}) && ($part->{"mime"}->{"_type"} =~ /(multipart\/signed|application\/pgp)/i)); $self->SanitizeHeaders($part, 1); my $writer = $part->{"writer"} || $part; $writer->WriteHeader(); # Some sanitizations only make sense at the very top of a file. # This determines how many non-blank lines are "near the top". my $neartop = 5; # Create a HTML cleaner object if needed. my $leftovers = undef; my %html_cfg = ( ); eval "%html_cfg = (". $conf->{"html_cleaner_body"} .")" if ($conf->{"html_cleaner_body"}); $html_cleaner = new Anomy::HTMLCleaner { Log => $part->{"log"}, ModCounter => \$self->{"mod_id"}, DefangString => $conf->{"msg_defanged"}, NoWebBugs => $conf->{"feat_webbugs"}, NoExeLinks => $conf->{"feat_html_noexe"}, UnkownTagsOK => $conf->{"feat_html_unknown"}, Paranoid => $conf->{"feat_html_paranoid"}, %html_cfg } if ($conf->{"feat_html"}); while (my $l = $reader->Read()) { $l = $leftovers . $l if ($leftovers); if ($l =~ /^-+BEGIN.*?(SIGNED|PGP)\s+MESSAGE-+\s*$/smi) { if ($conf->{"feat_trust_pgp"}) { $in_trusted_text++; $part->{"log"}->entry("trust-signed", SLOG_INFO, { id => $self->{"mod_id"}, silently => $conf->{"feat_verbose"} }, "Disabled scanning for signed part of message."); if ($conf->{"feat_verbose"}) { $writer->WriteText($self->expand_msg("pgp_warning")); } $self->{"mod_id"}++; } } if ($in_trusted_text) { $in_trusted_text-- if ($l =~ /^-+END.*?(SIGNATURE|PGP\s+MESSAGE)-+\s*$/smi); } # This "else" is safe, since a PGP boundary is harmless. else { # Check for inline forwarded messages. if (($conf->{"feat_forwards"}) && ($l =~ s/^(---+.*?Forward.*?---+\s*)$//smi)) { my $fwd = $1; # Deal with leftover html snippets by closing them. if (($html_cleaner) && ($l !~ /^\s*$/)) { $l .= $conf->{"msg_defanged"} .".".$self->{"mod_id"}.">$eol"; $part->{"log"}->entry("closed-html", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Closed open HTML tag preceding forwarded message."); $self->{"mod_id"}++; $html_cleaner->clean(\$l); $writer->Write($l); } $writer->Write($fwd); $l = $reader->ParserForwardedMessage(); } # Check for inline uuencoded attachments. # Sanitize their contents. if (($conf->{"feat_uuencoded"}) && ($l =~ s/^(begin \d* \S+.*)$//smi)) { my $pre = $1; # Sanity check on UUencoded data... my $lh = $reader->Read(); $reader->UnRead($lh); my ($len, $data) = (1000, "no match"); ($len, $data) = (ord($1), $2) if ($lh =~ /^(\S)(.+)$/m); $len -= 32; $len = int((($len * 4) + 2) / 3); if ($len == length($data)) { $reader->UnRead($pre); # Deal with leftover html snippets by closing them. if (($html_cleaner) && ($l !~ /^\s*$/)) { $l .= $conf->{"msg_defanged"} .".".$self->{"mod_id"}.">$eol"; $part->{"log"}->entry("closed-html", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Closed open HTML tag preceding uuencoded attachment."); $self->{"mod_id"}++; $html_cleaner->clean(\$l); $writer->Write($l); } $l = Anomy::MIMEStream::ParserUUAttachment($reader); } else { # Not really a uuencoded line, escape it. $pre =~ s/begin /begin_/i; $reader->UnRead($pre); $part->{"log"}->entry("uu_begin_bug", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"}, url => 'http://www.rodos.net/outlook/#begin' }, "Escaped invalid uuencode preamble (%url%)"); $self->{"mod_id"}++; } } elsif ($neartop) { # Check for Unix shell scripts. if (($conf->{"feat_scripts"}) && ($l =~ s/^#!/#!\/bin\/sh${eol}echo $conf->{"msg_defanged"}.$self->{"mod_id"}${eol}exit${eol}#!/gsm)) { $part->{"log"}->entry("defanged-shell", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Defanged UNIX shell script(s)."); $self->{"mod_id"}++; } } # Sanitize embedded HTML - we do this last so our hiding stuff # in $leftovers won't disable the other checks. $leftovers = $html_cleaner->clean(\$l) if ($conf->{"feat_html"}); } $neartop-- if (($neartop) && ($l !~ /^\s*$/)); if ((!$in_trusted_text) && ($ishtml) && ($l =~ s/^(.*)(<\/(?:BODY|HTML))/$2/si)) { $writer->Write($1); $self->DumpLog($part->{"log"}, $writer); } $writer->Write($l); } $writer->Write($leftovers) if ($leftovers); # Append log "signature style" $self->DumpLog($part->{"log"}, $writer) if (!$in_trusted_text); # Flush buffers $writer->Write(undef); } # This sanitizes the headers of an otherwise unfamiliar part. # sub CleanUnknown { my $self = shift; my $part = shift; my $parser; my $guess = $part->GuessMimeType(); $part->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanUnknown"); if ($guess =~ /text\//i) { # Why wasn't this marked as text/plain or text/html ? return $self->CleanText($part); } elsif ($guess && ($parser = $part->GetBodyParser($guess))) { return &$parser($part); } elsif ($part->{mime}->{"_type"} =~ m,text/,i) { return $self->CleanText($part); } return $self->CleanHeaders($part); } # This sanitizes only the headers of a part. # sub CleanHeaders { my $self = shift; my $part = shift; $self->SanitizeHeaders($part, 0); Anomy::MIMEStream::ParserCat($part); # BUG: Can't dump logs here, could royally screw up message. } # This sanitizes the headers of a message/rfc822 part, before processing # the part itself with the default handlers. # sub CleanRFC822 { my $self = shift; my $part = shift; $part->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanRFC822"); $self->SanitizeHeaders($part, 0); Anomy::MIMEStream::ParserRFC822($part); # BUG: Can't dump logs here, could royally screw up message. } # This will attempt to sanitize the first part of a message/partial message # as if it were message/rfc822. Subsequent parts are passed to the "unknown" # cleaner. sub CleanPartial { my $self = shift; my $part = shift; $part->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanPartial"); # FIXME: Here it should be trivial to dump the attachment to a # temporary file using a name based on info from the header, # so we could reassemble the message for scanning in it's entirety. # # COMMENTS: # # - Sites which use multiple filtering machines will often never see # all parts present on the same box! This could be solved by # bouncing all incoming message/partial messages to a dedicated # reassembly box instead of invoking Anomy and delivering. # - The last seen message would have to be replaced with the assembled # one, inline. # - Other messages would be replaced with a "reassembling" message, # Anomy (being a filter) doesn't have enough control to /dev/null # entire messages. # - It would be foolish to trust only the ID provided by the incoming # MIME headers. return $self->CleanRFC822($part) if ($part->{"mime"}->{"number"} == 1); return $self->CleanUnknown($part); } # This sanitizes the headers of a multipart part, before processing the # part itself with the default handlers. # sub CleanMultipart { my $self = shift; my $reader = shift; if ($self->{"mime_depth"} >= $self->{"conf"}->{"max_mime_depth"}) { # We only parse recursive MIME up to a certain limit... return $self->CleanHeaders($reader); } $reader->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanMultipart"); $self->SanitizeHeaders($reader, 1); $self->{"mime_depth"}++; Anomy::MIMEStream::ParserUnclosedMultipart($reader); $self->{"mime_depth"}--; # Append sanitization log as seperate text part, if this is the end # of the outermost multipart/* part. # my $writer = $reader->{"writer"} || $reader; $self->DumpLog($writer->{"log"}, $writer); # Garbage collection & cleanup. $writer->Close(); $writer->Amputate(); } # This sanitizes the headers of a MS-TNEF part, decodes the MS-TNEF data # sanitizes the contents as if it were MIME and then puts it all back # together again. # sub CleanMS_TNEF { my $self = shift; my $reader = shift; my $conf = $self->{"conf"}; my $tnef; # Use lazy loading of the TNEFStream stuff, since it has alot of # dependancies. If it's not installed and/or dependencies aren't # satisfied we just fall back to "unknown". eval 'use Anomy::TNEFStream; $tnef = new Anomy::TNEFStream;'; if ($@) { $reader->{"log"}->entry("parser", SLOG_TRACE, undef, "Anomy::TNEFStream not available (probably due to dependancies)."); return $self->CleanUnknown($reader, @_) if ($@); } my $printer = $tnef; my $writer = $reader->{"writer"}; $reader->{"log"}->entry("parser", SLOG_TRACE, undef, "CleanMS_TNEF"); $tnef->Testing(1) if ($conf->{"feat_testing"}); if ($conf->{"feat_kill_tnef"}) { # Log change! $reader->{"log"}->entry("TNEF_to_MIME", SLOG_WARNING|SLOG_INFO, { id => $self->{"mod_id"} }, "Converted Microsoft TNEF encoded data to MIME."); $self->{"mod_id"}++; # When killing TNEF we want to modify the part's headers and # force the encoding to be 8bit. if ($reader->{"mime"}->{"_encoding"} =~ /8bit/i) { $writer = $reader; } else { my $mime = { "_encoding" => "8bit", "boundary" => $tnef->{boundary}, "_boundpre" => "--", "_type" => "multipart/mixed", }; my $pos = { "content-type" => "_type boundary", "content-transfer-encoding" => "_encoding", }; $writer = Anomy::MIMEStream->Writer($reader, $mime, $pos); } $printer = $writer; # Include old header info my $rh = $reader->{"rawheader"}; chomp $rh; $rh =~ s/^([^\s]+)/X-$1/gm; $writer->{"rawheader"} = $rh . $writer->{"rawheader"}; } else { $writer = $reader; $self->SanitizeHeaders($writer, 0); } $writer->WriteHeader(); my $tnef_reader = sub { return $reader->Read(); }; my $tnef_writer = sub { return $writer->Write(@_); }; # my $debug = undef; #sub { print STDERR @_; }; my $debug = sub { print STDERR @_; }; my $log = $reader->{"log"}->sublog("Part", SLOG_TRACE, { pos => $reader->{"Read_Bytes"} }); if (0 == $tnef->parse($tnef_reader, $debug)) { if ($tnef->tnef_to_mime($debug)) { # Initialize reader/writer functions. my $r = $tnef->get_mime_reader(); my $w = $tnef->get_mime_writer(); my $subpart = Anomy::MIMEStream->New($tnef, $printer, $writer->{"parsers"}); $subpart->{"log"} = $log; $subpart->{"common"} = $reader->{"common"}; # Set up variables needed for parsing (necessary because # we can't call ParseHeader). $subpart->{"mime"}->{"boundary"} = $tnef->{"boundary"}; $subpart->{"mime"}->{"_boundpre"} = "--"; # Parse & sanitize $subpart->ParserMultipart($writer); # Reformat to TNEF $tnef->mime_to_tnef($debug) unless ($conf->{"feat_kill_tnef"}); } } $tnef->dump_tnef($tnef_reader, $tnef_writer, $debug) unless ($conf->{"feat_kill_tnef"}); # Flush. $tnef->purge(); $writer->Write(undef); } #EOF# # vi:ts=4 expandtab 1; sanitizer-1.76/bin/Anomy/Sanitizer/0000755000175000017500000000000010357724607015357 5ustar agiagisanitizer-1.76/bin/Anomy/Sanitizer/FProt.pm0000755000175000017500000002002610166576325016752 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: FProt.pm,v 1.12 2005/01/04 20:30:13 bre Exp $'; my $version = 'Anomy 0.0.0 : Anomy::Sanitizer::FProt.pm'; # ## Copyright (c) 2002-2005 FRISK Software International. All rights reserved. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU Lesser General Public License as ## published by the Free Software Foundation; either version 2.1 of the ## License, or (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.f-prot.com/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This module implements a built in scanner which communicates directly # with the daemonized version of F-Prot Antivirus for Linux. # # Using the daemonized version of the scanner offers a significant performance # increase over the freely available command line version and provides # more detailed feedback and logs. Contact sales@f-prot.com for information # on purchasing the daemonized version of F-Prot Antivirus for Linux. # # Usage: # # my @url_list = [ "http://localhost:10200", # "http://localhost:10201", # "http://localhost:10202", # "http://localhost:10203", # "http://localhost:10204" ]; # my $scanner_gid = 1234; # # my $fprot = new Anomy::Sanitizer::FProt \@url_list, $scanner_gid; # # # # Note: Either of the two parameters may be undefined, in which # # case the module will use it's internal defaults. # # my $san = new Anomy::Sanitizer ... # $san->register_scanner("fprot", $fprot->get_sanitizer_callback()); # ##[ Package definition ]###################################################### package Anomy::Sanitizer::FProt; use strict; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.12 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw( ); @EXPORT_OK = qw( ); } use vars @EXPORT_OK; my $serial = 0; ##[ Package implementation ]################################################## use Anomy::Sanitizer; use Anomy::Log; use IO::Socket::INET; # Constructor. # sub new { my ($proto, $urls, $scan_gid) = @_; my $class = ref($proto) || $proto; unless ($urls) { $urls = [ 'http://localhost:10200', 'http://localhost:10201', 'http://localhost:10202', 'http://localhost:10203', 'http://localhost:10204' ]; } no strict; my $self = { urls => $urls, perms => 0660, scan_gid => $scan_gid, results => undef, job => undef, }; bless($self,$class); return $self; } sub get_results { my $self = shift; return $self->{results}; } sub set_job_id { $_[0]->{job} = $_[1]; } sub explain_results { my $self = shift; my @inf = ( ); foreach my $l (split(/\012/, $self->{results} || "")) { push @inf, $2 if ($l =~ /<(name|message)[^>]*>\s*(.*?)<\/\1>/is); } my $name = join(', ', @inf); $name = '(heuristic detection)' if (($name !~ /^[a-z\d\s\@\.\:\{\}\(\)\[\]\/\\\&\+\*\%\$\"\'\#\!,_=-]+$/is) || ($name =~ /^\s*$/)); my $stat = $self->{scan_stat}; my $msg = undef; my $attr = { }; if (0 == $stat) { $msg = "File is clean."; } elsif (1 == $stat) { $attr = { "name" => $name }; $msg = "Disinfected file, removed %name%"; } elsif (2 == $stat) { $attr = { "name" => $name }; $msg = "Detected unremovable infection: %name%"; } elsif (3 == $stat) { $msg = "File is of unknown type."; } elsif (4 == $stat) { $msg = "File is suspicious."; } elsif (0 < $stat) { $attr = { "code" => $stat }; $msg = "Unrecognized status! (%code%)"; } elsif (0 > $stat) { $attr = { "code" => $stat }; $msg = "Error (%code%) scanning file!"; } return ($msg, $attr); } sub get_sanitizer_callback { my $self = shift; return sub { my $san = shift; my $plog = shift; $san->set_var("fprot_result", ""); my $stat = $self->do_scan($san, $plog, @_); my ($msg, $attr) = $self->explain_results(); if ($msg) { $san->set_var("fprot_result", $msg); $plog->entry("fprot_result", SLOG_INFO, $attr, "F-Prot: ".$msg); } return $stat; }; } sub do_scan { my ($self, $san, $plog, $fh, $md5x2, $filename, @args) = @_; return ($self->{scan_stat} = -4) unless ($filename); # Make file readable AND writable by the scanner. if ($self->{scan_gid}) { chown(-1, $self->{scan_gid}, $filename); chmod($self->{perms}, $filename); } # Prevent duplicate leading slashes. $filename =~ s/^\/+//; # FIXME: Should prepend current directory if above doesn't really # do anything. my $tries = $self->{results} = 0; while (!$self->{results}) { my $url = shift @{ $self->{urls} }; my $request = $url.'/'. urlencode($filename); push @args, "-id=".$self->{job} if ($self->{job}); $request .= '?'. urlencode(join("\n", @args)) if (@args); if ($self->{results} = get($request)) { unshift @{ $self->{urls} }, $url; } else { push @{ $self->{urls} }, $url; sleep(5) if (($tries++) > @{ $self->{urls} }); return ($self->{scan_stat} = -1) if (($tries/2) > @{ $self->{urls} }); } } my $summary = "unknown-error"; $summary = lc($1) if ($self->{results} =~ /]*>(.*?)<\/summary>/i); return ($self->{scan_stat} = 0) if ($summary eq "clean"); return ($self->{scan_stat} = 1) if ($summary eq "disinfected"); return ($self->{scan_stat} = 2) if ($summary eq "infected"); return ($self->{scan_stat} = 3) if ($summary eq "unknown"); return ($self->{scan_stat} = 4) if ($summary eq "suspicious"); # FIXME: Does sharing a code with "suspicious" make sense? return ($self->{scan_stat} = 4) if ($summary eq "not scanned"); return ($self->{scan_stat} = -2) if ($summary eq "error"); return ($self->{scan_stat} = -3); } sub urlencode { my $text = shift; $text =~ s/([^A-Za-z0-9\/_-])/ $_=sprintf("%%%2.2X", ord($1))/ge; return $text; } sub get { my $url = shift; if ($url =~ /^http:\/+([^\/\s]+)(.*)/i) { my ($host, $path) = ($1, $2); my $port = 80; $port = $1 if ($host =~ s/:(\d+)$//); $path = "/" unless ($path); # print STDERR "Connecting to $host on port $port, requesting $path\n"; # Connect to server my $socket = new IO::Socket::INET ( PeerAddr => $host, PeerPort => $port, Proto => "tcp", ); return undef unless ($socket); # Send HTTP request $socket->autoflush(1); $socket->print("GET $path HTTP/1.1\r\n"); $socket->print("Host: $host\r\n"); $socket->print("Connection: close\r\n"); $socket->print("\r\n"); # Parse the reply header my $status = 900; while (my $l = <$socket>) { last if ($l =~ /^[\r\n]*$/); if ($l =~ /^HTTP.1\.[01]\s+(\d\d\d)\s+(.*)$/) { my ($code, $text) = ($1, $2); $status = $code; } } # Get the data... my $data = join('', <$socket>); $socket->close(); # Return. return undef unless ($status eq 200); return $data; } else { die "Failed to parse URL: $url\n"; } } 1; # vi:ts=4 sanitizer-1.76/bin/Anomy/Sanitizer/MacroScanner.pm0000644000175000017500000001345107410772136020270 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: MacroScanner.pm,v 1.2 2001/12/22 02:47:58 bre Exp $'; my $version = 'Anomy 0.0.0 : sanitizer.pl'; # ## Copyright (c) 2001 Bjarni R. Einarsson. All rights reserved. ## Based on code by John Hardin. ## ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.frisk.is/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This is the built in macro scanner, based on John D. Hardin's code. # # It has been improved to use only a fixed, small amount of memory # even when reading binary data. The scanner checks a sliding 256-byte # window - first for a sign that this is an MS document, then for stuff # that looks like macros. # # When macro stuff is seen, a score is incremented by an amount hopefully # reflecting how "dangerous" it is. If the total score exceeds a user # defined value, the attachment is considered poisoned and the scan # terminates immediately with a nonzero return value. # # Usage: # # # Macro scanner configuration - this doesn't make sense within the # # Sanitizer.pm module, since the Sanitizer.pm module knows nothing # # about the macro scanner. # my @MACROSCAN = ('file_list_5_scanner = 0:1:2:builtin/macro 25', # 'file_list_5_policy = unknown:mangle:mangle:defang', # 'file_list_5 = (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$'); # # # WARNING: For brevity, error handling is omitted in this example, see # # sanitizer.pl for a proper example. # # # $engine = new Anomy::Sanitizer; # $engine->register_scanner("macro", \&MacroScan); # $engine->configure(@MACROSCAN); # ##[ Package definition ]###################################################### package Anomy::Sanitizer::MacroScanner; use strict; use IO::File; use Anomy::Log; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw(MacroScanner); @EXPORT_OK = qw( ); } use vars @EXPORT_OK; ##[ Package implementation ]################################################## sub MacroScanner { my $self = shift; my $plog = shift; my $fh = shift; my $md5x2 = shift; my $poison_score = shift; my $score = 0; my $msapp = 0; # Read relatively small chunks at a time, to minimize the extra # work done by the pattern maching. We just trust the OS to make # this efficient... # my $chunksize = 128; local $/ = \$chunksize; # Initialize buffer. $fh->seek(0, SEEK_SET); my $buff = <$fh> . <$fh>; my $log = $plog->sublog("MacroScan", SLOG_TRACE, undef); while ($buff) { unless ($msapp) { if ($buff =~ /\000(Microsoft (Word Document|PowerPoint|Excel( (Spread|Work)sheet)?)|MSWordDoc|Word\.Document\.[0-9]+|Excel\.Sheet\.[0-9]+)\000/) { $msapp = 1; $log->entry("is-MS-document", SLOG_DEBUG, undef, "This appears to be an MS document, restarting scan."); # Restart scan $fh->seek(0, SEEK_SET); $buff = <$fh> . <$fh>; next; } } else { # Lots of while loops here - we replace the leading \000 boundary # with 'x' characters to ensure this eventually completes. # $score += 99 while ($buff =~ s/\000(VirusProtection)/x$1/i); $score += 99 while ($buff =~ s/\000(select\s[^\000]*shell\s*\()/x$1/i); $score += 9 while ($buff =~ s/\000(regedit|SaveNormalPrompt|Outlook.Application\000)/x$1/i); $score += 4 while ($buff =~ s/\000(ID="{[-0-9A-F]+)$/x$1/i); $score += 4 while ($buff =~ s/\000(CreateObject)/x$1/i); $score += 4 while ($buff =~ s/(?:\000|\004)(([a-z0-9_]\.)*(Autoexec|Workbook_(Open|BeforeClose)|Document_(Open|New|Close)))/x$1/i); $score += 4 while ($buff =~ s/(?:\000|\004)(Logon|AddressLists|AddressEntries|Recipients|Subject|Body|Attachments|Logoff)/x$1/i); $score += 2 while ($buff =~ s/\000(Shell|Options|CodeModule)/x$1/i); $score += 2 while ($buff =~ s/\000(([a-z]+\.)?Application\000)/x$1/i); $score += 2 while ($buff =~ s/(?:\000|\004)(stdole|NormalTemplate)/x$1/i); $score += 1 while ($buff =~ s/\000(ID="{[-0-9A-F]+}"|ThisWorkbook\000|PrivateProfileString)/x$1/i); $score += 1 while ($buff =~ s/(?:\000|\004)(ActiveDocument|ThisDocument)/x$1/i); $score += 1 while ($buff =~ s/\000(\[?HKEY_(CLASSES_ROOT|CURRENT_USER|LOCAL_MACHINE))/x$1/); # Save cycles! Return early! if ($score > $poison_score) { $log->entry("bad-score", SLOG_INFO, { score => $score, bytes => $chunksize * $. }, "Score (%score%) exceeded $poison_score after ". "scanning %bytes% bytes!"); return 1; } } # Read on... $buff = substr($buff, $chunksize, $chunksize) . <$fh>; } $log->entry("bad-score", SLOG_INFO, { score => $score }, "Attachment passed macro scan with a score of %score%."); return 0; } 1; #EOF# sanitizer-1.76/bin/Anomy/Sanitizer/FileTypes.pm0000755000175000017500000003330110356474463017625 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: FileTypes.pm,v 1.3 2006/01/03 13:16:35 bre Exp $'; my $version = 'Anomy 0.0.0 : Anomy::Sanitizer::FProt.pm'; # ## Copyright (c) 2006 FRISK Software International. All rights reserved. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU Lesser General Public License as ## published by the Free Software Foundation; either version 2.1 of the ## License, or (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.f-prot.com/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This module implements a built in scanner which recognizes a few known file # types based on headers. It verifies that a file is what it says it is. # # Usage: # # use Anomy::Sanitizer::FileTypes qw( check_file_type ); # # my ($is_evil, $is_suspicious, $risk_level, @filetypes) = # check_file_type( snippet => $first_few_bytes_of_data, # file_names => \@list_of_filenames, # mime_type => $mime_type, # blacklisted => \@blacklisted_file_types ); # ##[ Package definition ]###################################################### package Anomy::Sanitizer::FileTypes; use strict; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.3 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw( ); @EXPORT_OK = qw( &check_file_type &unknown_file_types &known_file_types ); } use vars @EXPORT_OK; my $serial = 0; ##[ Recognized file formats ]################################################## # Risk levels my ($unknown, $low, $medium, $high) = (0, 1, 2, 3); # File type definitions my $EXE = { id => "exe", risk => $high, name => "MSDOS or MS Windows executable", extensions => [ "exe", "com", "scr", "pif", "lnk", "bat" ], mime_types => [ 'application/octet-stream', "application/x-ms-dos-executable", "application/x-msdownload" ], magic => [ "MZ" ], }; my $WMF = { id => "wmf", risk => $medium, name => "Windows MetaFile (WMF)", extensions => [ "emf", "wmf" ], mime_types => [ 'application/x-msMetafile' ], magic => [ "\xD7\xCD\xC6\x9A", "\x01\x00\x09\x00", "\x02\x00\x09\x00" ], }; my $JPEG = { id => "jpeg", risk => $low, name => "JPEG Image", extensions => [ "jpg", "jpe", "jpeg", "jfif", "jfif-tbnl" ], mime_types => [ 'image/jpeg', 'image/pjpeg' ], magic => [ "\xFF\xD8" ], }; my $GIF = { id => "gif", risk => $low, name => "GIF Image", extensions => [ "gif" ], mime_types => [ 'image/gif' ], magic => [ "GIF8" ], }; my $PNG = { id => "png", risk => $low, name => "PNG Image", extensions => [ "png" ], mime_types => [ 'image/png' ], magic => [ "\x89PNG" ], }; my $TIFF = { id => "tiff", risk => $low, name => "TIFF image data", extensions => [ "tiff", "tif" ], mime_types => [ 'image/tiff' ], magic => [ "MM\x00\x2A", "II\x2A\x00" ], }; my $JS = { id => "js", risk => $medium, name => "JavaScript file", extensions => [ "js" ], mime_types => [ 'application/x-javascript' ], magic => [ ], }; my $HTML = { id => "html", risk => $low, name => "HTML text file", extensions => [ "html", "htm", "shtml" ], mime_types => [ 'text/html' ], magic => [ ], regexp => '|||
|', }; my $TXT = { id => "txt", risk => $low, name => "Plain text file", extensions => [ "txt" ], mime_types => [ 'text/plain' ], magic => [ ], }; # Set up useful ways to look up stuff in the above definitions. my @all_types = ($EXE, $WMF, $JPEG, $GIF, $PNG, $TIFF, $JS, $HTML, $TXT); my $file_types = { }; my $file_ext = { }; my $file_regexp = { }; my $file_magic = { }; my $magic_lengths = { }; foreach my $ft (@all_types) { $file_types->{$ft->{id}} = $ft; foreach my $magic (@{ $ft->{magic} }) { $file_magic->{$magic} = $ft; $magic_lengths->{length($magic)} = 1; } if (my $regexp = $ft->{regexp}) { $file_regexp->{$regexp} = $ft; } foreach my $ext (@{ $ft->{extensions} }) { $file_ext->{lc($ext)} = $ft; } } my @magic_lengths = (sort { $b <=> $a } keys(%$magic_lengths)); ##[ Package implementation ]################################################## # Check a list of filetypes to see if we recognize all of them, return # undef or the first unrecognized file type. sub unknown_file_types { my (@list) = @_; @list = @{ $list[0] } if (ref($list[0]) =~ /array/i); foreach my $item (@list) { return $item unless (0 < (grep { $_->{id} eq lc($item) } @all_types)); } return undef; } # Return a list of known filetypes. sub known_file_types { return (map { $_->{id} } @all_types); } # Usage: # # use Anomy::Sanitizer::FileTypes qw( check_file_type ); # # my ($is_evil, $is_suspicious, $risk_level, @filetypes) = # check_file_type( snippet => $first_few_bytes_of_data, # file_names => \@list_of_filenames, # mime_type => $mime_type, # blacklisted => \@blacklisted_file_types ); # # Return values: # # The first two returned values are boolean, 0 or 1. # # Risk levels range from 0-3 (unknown, low, medium, high). # # @filetypes is a list of hashrefs describing what we think the file # is. The matches are ordered such that the riskiest match is listed # first. # sub check_file_type { my (%args) = @_; my $snippet = $args{snippet}; my $filenames = $args{file_names} || [ $args{file_name} ]; my $mimetype = $args{mime_type}; my $blacklisted = $args{blacklisted} || [ ]; my ($matched_filename, $matched_magic, $matches) = get_matches( snippet => $snippet, filenames => $filenames ); my ($is_evil, $is_suspicious, $risk_level) = estimate_risk( matched_filename => $matched_filename, matched_magic => $matched_magic, matches => $matches || { }, blacklisted => $blacklisted ); return ($is_evil, $is_suspicious, $risk_level, sort { ($b->{risk} <=> $a->{risk}) || ($a->{id} cmp $b->{id}) } values(%$matches)); } sub get_matches { my (%args) = @_; my $snippet = $args{snippet}; my $filenames = $args{filenames}; # This is what we'll be returning. my ($matched_filenames, $matched_magic, $matches) = (0, 0, { }); # Guess filetype based on extension... foreach my $fn (@$filenames) { if ($fn =~ /\.([^\.]+)$/) { my $ext = $1; if (my $match = $file_ext->{lc($ext)}) { print STDERR "Filename match: $match->{id}\n" if ($ENV{DEBUG_FILETYPES}); $matches->{$match} = $match; $matched_filenames++; } } } # Guess filetype based on binary snippet foreach my $length (@magic_lengths) { my $bytes = substr($snippet, 0, $length); if (my $match = $file_magic->{$bytes}) { print STDERR "Magic match: $match->{id}\n" if ($ENV{DEBUG_FILETYPES}); $matches->{$match} = $match; $matched_magic++; } } # Guess filetype using regexps, unless magic worked. if (!$matched_magic) { foreach my $re (keys(%$file_regexp)) { next unless ($snippet =~ /$re/i); my $match = $file_regexp->{$re}; print STDERR "Regexp match: $match->{id}\n" if ($ENV{DEBUG_FILETYPES}); $matches->{$match} = $match; $matched_magic++; } } # Some types have no magic, and all files match the "undefined" magic. if (!$matched_magic) { foreach my $m (values(%$matches)) { if ((@{ $m->{magic} } < 1) && (!$m->{regexp})) { print STDERR "Undefined magic match.\n" if ($ENV{DEBUG_FILETYPES}); $matched_magic++; } } } return ($matched_filenames, $matched_magic, $matches); } sub estimate_risk { my (%args) = @_; my $matched_filename = $args{matched_filename}; my $matched_magic = $args{matched_magic}; my $matches = $args{matches}; my %blacklisted = ( map { lc($_) => 1 } @{ $args{blacklisted} } ); my %risks = ( map { $matches->{$_}->{risk} => 1 } keys(%$matches) ); # This is what we'll return. my ($is_evil, $is_suspicious, $risk_level) = (0, 0, $unknown); # Do we have more than one possible match? That's odd! if (keys(%$matches) > 1) { # If we also have multiple risk levels, that probably means # someone is trying to masquerade a high-risk file as a low-risk # one, which is very evil. If they are all "low" risk, then we # just assume the sending mailer is dumb (sends GIFs as JPGs). $is_evil++ unless ($risks{$low} && (keys(%risks) == 1)); print STDERR "Multiple matches: is_evil = $is_evil\n" if ($ENV{DEBUG_FILETYPES}); } # Is this filetype blacklisted? foreach my $m (values(%$matches)) { $is_evil++ if ($blacklisted{$m->{id}}); } # Does this claim to be a low-risk file, without matching our magic? $is_suspicious++ if ($risks{$low} && (!$matched_magic)); # Report highest risk level $risk_level = $low if ($risks{$low}); $risk_level = $medium if ($risks{$medium}); $risk_level = $high if ($risks{$high}); return ($is_evil, $is_suspicious, $risk_level); } ##[ Testing ]################################################################## sub Test { my @tests = ( { name => "Plain text file", args => { snippet => "Plain text file", file_names => [ "plain.txt" ] }, results => "0,0,$low,txt", }, { name => "Incorrectly named HTML file", args => { snippet => "foo", file_names => [ "plain.txt" ] }, results => "0,0,$low,html,txt", }, { name => "Incorrectly named TIFF image file.", args => { snippet => "MM\x00\x2A", file_names => [ "plain_data" ] }, results => "0,0,$low,tiff", }, { name => "Bogus JPEG file.", args => { snippet => "bogosity", file_names => [ "fake.jpg" ] }, results => "0,1,$low,jpeg", }, { name => "GIF image which thinks it's a JPEG.", args => { snippet => "GIF89afoo", file_names => [ "fake.jpg" ] }, results => "0,0,$low,gif,jpeg", }, { name => "Windows executable with correct name.", args => { snippet => "MZfoo", file_names => [ "fake.exe" ] }, results => "0,0,$high,exe", }, { name => "Windows executable with wrong name.", args => { snippet => "MZfoo", file_names => [ "fake.txt" ] }, results => "1,0,$high,exe,txt", }, { name => "Blacklisted WMF file without magic.", args => { snippet => "bogosity", blacklisted => [ "wmf" ], file_names => [ "blacklisted.wmf" ] }, results => "1,0,$medium,wmf", }, { name => "Unblacklisted WMF file with valid magic.", args => { snippet => "\xD7\xCD\xC9\x9A", file_names => [ "blacklisted.wmf" ] }, results => "0,0,$medium,wmf", }, { name => "WMF file pretending to be a JPEG.", args => { snippet => "\xD7\xCD\xC9\x9A", file_names => [ "evil.jpg" ] }, results => "1,0,$medium,wmf,jpeg", }, ); foreach my $t (@tests) { my ($e, $s, $r, @info) = check_file_type(%{ $t->{args} }); my $results = join(',', $e, $s, $r, map { $_->{id} } @info ); if ($t->{results} eq $results) { print "OK $t->{name} ($results)\n"; } else { print "BAD $t->{name}\n*** $results != $t->{results} \n"; } } # Test filetype validity checker if (my $unknown = unknown_file_types("exe", "txt", "html", "js")) { print "BAD Filetype validity checker doesn't recognize '$unknown'\n"; } else { print "OK Filetype validity checker is OK.\n"; } if ("bogus" eq unknown_file_types("exe", "txt", "html", "js", "bogus")) { print "OK Filetype validity checker doesn't recognize 'bogus'.\n"; } else { print "BAD Filetype validity checker recognizes 'bogus'!\n"; } if (9 == known_file_types()) { print "OK List of filetypes is ok.\n"; } else { print "BAD List of filetypes is silly!\n"; } } 1; # vi:ts=4 sanitizer-1.76/bin/Anomy/Sanitizer/Scoring.pm0000644000175000017500000000365707340772340017327 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: Scoring.pm,v 1.2 2001/08/22 17:58:36 bre Exp $'; my $version = 'Anomy 0.0.0 : sanitizer.pl'; # ## Copyright (c) 2001 Bjarni R. Einarsson. All rights reserved. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.frisk.is/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This module implements scoring for the Anomy Sanitizer. # It adds a few configuration variables. # # # ##[ Package definition ]###################################################### package Anomy::Sanitizer::Scoring; use strict; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.2 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw( ); @EXPORT_OK = qw( ); } use vars @EXPORT_OK; ##[ Package implementation ]################################################## sub new { my ($proto, $name) = @_; my $class = ref($proto) || $proto; my $self = { "name" => $name || "score", "score" => 0, "thresholds" => [ ], }; bless ($self, $class); return $self; } # FIXME: Here we *should* accept a sanitizer object to register into. # # Since the sanitizer is currently non-OO, we just register directly into # provided configuration and log variables. # sub register { my ($self, $conf, $log) = @_; } 1; #EOF# sanitizer-1.76/bin/Anomy/Log.pm0000755000175000017500000001726310030027321014453 0ustar agiagi#!/usr/bin/perl # my $revision = '$Id: Log.pm,v 1.9 2002/01/04 18:32:49 bre Exp $'; my $version = 'Anomy 0.0.0 : sanitizer.pl'; # ## Copyright (c) 2001-2002 Bjarni R. Einarsson. All rights reserved. ## This program is free software; you can redistribute it and/or modify ## it under the terms of the GNU General Public License as published by ## the Free Software Foundation; either version 2 of the License, or ## (at your option) any later version. # ############################################################################## # # NOTE: Sanitizer development is for the most part sponsored by # FRISK Software International, http://www.f-prot.com/. Please # consider buying their anti-virus products to show your # appreciation. # ############################################################################## # # This a module for handling nested log files. It provides a framework # for building very detailed logs in memory and outputting them either as # human readable text or XML. # # Example: # # my $log1 = new Anomy::Log; # my $log2 = new Anomy::Log; # my $log3; # # # Set up local hooks for events # $log1->add_hook("match", sub { print "Hey, something matched!\n"; } ); # $log1->add_hook("part", sub { print "Ooh, a new part!\n"; } ); # # # Set up a global hook (inherited by sub-logs) # $log1->add_hook("thing", sub { print "Ooh, a new thing!\n"; }, "global" ); # # # Record an event # $log1->entry("match", SLOG_INFO, { rule => 3 }, "Matched rule %rule%." ); # # # Attach $log2 to an entry in $log1. # $log->sublog("part", SLOG_TRACE, { type => "multipart/mixed" }, $log2); # # # Create a new log ($log3) chained to an entry in $log1. # $log3 = $log1->sublog("part", SLOG_TRACE, { type => "multipart/mixed" }); # # # Print everything of level SLOG_INFO as text. # print $log1->print_as_text(SLOG_INFO); # # # Print everyting (any level) as XML. # print $log1->print_as_xml(SLOG_ALL); # ##[ Package definition ]###################################################### package Anomy::Log; use strict; BEGIN { use Exporter (); use vars qw($VERSION @ISA @EXPORT @EXPORT_OK %EXPORT_TAGS); $VERSION = do { my @r = (q$Revision: 1.9 $ =~ /\d+/g); sprintf "%d."."%02d" x $#r, @r }; @ISA = qw(Exporter); @EXPORT = qw(&SLOG_ERROR &SLOG_WARNING &SLOG_INFO &SLOG_DEBUG &SLOG_TRACE &SLOG_SUBLOG &SLOG_ALL); @EXPORT_OK = qw( ); } use vars @EXPORT_OK; ##[ Constants ]############################################################### # Log message types sub SLOG_ERROR { return 0x0001; } sub SLOG_WARNING { return 0x0002; } sub SLOG_INFO { return 0x0004; } sub SLOG_DEBUG { return 0x0008; } sub SLOG_SUBLOG { return 0x4000; } sub SLOG_TRACE { return 0x8000; } sub SLOG_ALL { return 0xFFFF; } sub LOG_ENTRY { return 1; } sub LOG_SUBLOG { return 2; } ##[ Package implementation ]################################################## sub new { my ($proto) = @_; my $class = ref($proto) || $proto; my $self = { "local_hooks" => { }, "global_hooks" => { }, "log" => [ ], }; bless ($self, $class); return $self; } # Wipe the log clean. sub clear { my $self = shift; $self->{"log"} = [ ]; } # Register a new hook. sub add_hook { my ($self, $tag, $hook, $global) = @_; my $h = "local_hooks"; $h = "global_hooks" if ($global); $self->{$h}->{$tag} = [ ] unless ($self->{$h}->{$tag}); push @{ $self->{$h}->{$tag} }, $hook; } # Check for hooks for this log entry type, execute them if present. # Returns 1 (true) if no hooks are found, otherwise it returns the # value returned by the hook. sub check_hook { my ($self, $entry) = @_; my $ret = 1; foreach my $h ("local_hooks", "global_hooks") { if (my $hooks = $self->{$h}->{ $entry->[1] }) { foreach my $cmd (@{ $hooks }) { $ret = 0 unless (&$cmd($self, $entry)); } } } return $ret; } # Usage: # # $log->entry("match", SLOG_INFO, { rule => 3 }, "Matched rule %rule%." ); # sub entry { my ($self, $tag, $level, $attr, $data) = @_; my $entry = [ LOG_ENTRY, $tag, $level, $attr || { }, $data ]; push @{ $self->{"log"} }, $entry if ($self->check_hook($entry)); } # Usage: # # $sublog = $log->sublog("part", SLOG_TRACE, { type => "multipart/mixed" }); # $log->sublog("part", SLOG_TRACE, { type => "multipart/mixed" }, $sublog); # sub sublog { my ($self, $tag, $level, $attr, $sl) = @_; $sl = new Anomy::Log unless ($sl); # Inherit global hooks from parent $sl->{"global_hooks"} = $self->{"global_hooks"}; $level = 0 unless ($level); $level |= SLOG_SUBLOG; my $entry = [ LOG_SUBLOG, $tag, $level, $attr || { }, $sl ]; push @{ $self->{"log"} }, $entry if ($self->check_hook($entry)); return $sl; } # Render a log as a bit of HTML, using the embedded descriptions. # # Usage: # # $text = $log->print_as_text(SLOG_ALL); # sub print_as_html { my ($self, $out_level, $prefix, $color) = @_; my $ret = $self->print_as_text($out_level, $prefix); $ret =~ s/&/&/g; $ret =~ s//>/g; return "
\n$ret\n
\n"; } # Render a log as a text file, using the embedded descriptions. # # Usage: # # $text = $log->print_as_text(SLOG_ALL); sub print_as_text { my ($self, $out_level, $prefix) = @_; my $ret = ""; $out_level = SLOG_ALL unless (defined $out_level); foreach my $entry (@{ $self->{"log"} }) { my ($type, $tag, $level, $attr, $data) = @{ $entry }; my $attrs = join(", ", map { $_="$_=\"".$attr->{$_}."\"" } sort(keys(%{ $attr }))); if (LOG_SUBLOG == $type) { my $d = $data->print_as_text($out_level, $prefix." "); if (($d) || ($level & $out_level)) { $ret .= $prefix.$tag." (".$attrs."):\n".$d."\n"; } $ret =~ s/\n\n+$/\n\n/; } elsif ($level & $out_level) { my $d = $data; foreach my $key (sort(keys(%{ $attr }))) { $d =~ s/%$key%/$attr->{$key}/g; } $d =~ s/%ATTRIBUTES%/$attrs/g; $d =~ s/\n/\n$prefix/gs; $ret .= $prefix.$d."\n"; } } return $ret; } # Render a log as an XML-formatted string, pruning all leaves not matching # the requested log level. # # Usage: # # $text = $log->print_as_xml(SLOG_ALL); # sub print_as_xml { my ($self, $out_level, $prefix) = @_; my $ret = ""; $out_level = SLOG_ALL unless (defined $out_level); foreach my $entry (@{ $self->{"log"} }) { my ($type, $tag, $level, $attr, $data) = @{ $entry }; if (LOG_SUBLOG == $type) { my $d = $data->print_as_xml($out_level, $prefix." "); if (($d) || ($level & $out_level)) { $ret .= $prefix; $ret .= print_tag($tag, $attr)."\n"; $ret .= $d; $ret .= $prefix."\n"; } } elsif ($level & $out_level) { $ret .= $prefix; $ret .= print_tag($tag, $attr); $ret .= encode_xml($data); $ret .= "\n"; } } return $ret; } ## Helper for print_as_xml sub print_tag { my ($tag, $attr) = @_; my $ret = "<".$tag; foreach my $a (sort(keys(%{ $attr }))) { $ret .= " $a=\"". encode_xml($attr->{$a}) ."\""; } $ret .= ">"; return $ret; } ## Helper for print_as_xml sub encode_xml { my $text = shift; $text =~ s/&/&/g; $text =~ s//>/g; $text =~ s/"/"/g; # FIXME!! Probably not valid XML! $text =~ s/\n/&nl;/g; # FIXME!! Probably not valid XML! return $text; } 1; #EOF# sanitizer-1.76/testcases/0000755000175000017500000000000010357724607013552 5ustar agiagisanitizer-1.76/testcases/rot130000755000175000017500000000011110027640321014421 0ustar agiagi#!/usr/bin/perl while (<>) { tr/a-zA-Z/n-za-mN-ZA-M/; print; } sanitizer-1.76/testcases/sanitizer.appledouble.t0000644000175000017500000000706007653621436020246 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case with a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long harmless subject. Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: multipart/appledouble; x-mac-creator="5068466C"; x-mac-type="4A504547"; boundary="=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU" Content-Disposition: attachment; filename="20802160428.jpg" --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/applefile; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; Content-Transfer-Encoding: base64 AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4/ 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I lvskBb+HkHqDj6/SvQxHBORV429jy+jkv1a/A8yPFmaRd5VOb1S/Sx6yn7y2NzA8 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB rqtM1qPXiLOeOK01DbtRh8kdw/8Ad54Rz2/hPT5cAH85zrgKvgouvgZOpFbxfxL0 6P8AB+p9hkvGOHxVRUcVHkk+v2X/AJFlpRHFvXBPaqUtw86hpOccdO1KztEWikR4 --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/octet-stream; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; filename="20802160428.jpg" Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEASABIAAD//gAsQ29tcHJlc3Npb24gYnkgU3Rvcm0gVGVj aG5vbG9neagsIEluYy42Nk5x/+4ADkFkb2JlAGWAAAAAAf/tABBTdG9ybQABAAEB AEgASP/bAIQABQMEBAQDBQQEBAYFBQYIDQgIBwcIEAsMCQ0TERQUExESEhUYHhoV Fh0XEhIaJBsdHyAiIiIUGSUoJSEoHiEiIQEFBgYIBwgPCAgPIRYSFiEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh/8AAEQgB 4AJzAwEiAAIRAQMRAf/EAaIAAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKCxAA AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAk M2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlq c3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6AQADAQEBAQEBAQEBAAAA --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU-- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF echo "*** Exit code was $? ***" >>test.out sanitizer-1.76/testcases/sanitizer.bad_html.t0000644000175000017500000000664107674403541017526 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <>test.log >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="html-test.txt" Content-Transfer-Encoding: 8bit ble moo moo baa baa evil hotmail exploit layer! does the ilayer tag exist?

&{[code]};

--=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF done sanitizer-1.76/testcases/sanitizer.base64.t0000644000175000017500000000506107674317534017041 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <>test.out $ANOMY/bin/sanitizer.pl -nofprot $SAN_CONF \ "header_rev = 0" \ "feat_testing = 1" \ "feat_log_trace = 1" \ "feat_log_inline = $FLI" \ 'file_list_rules = 1' \ 'file_name_tpl = /tmp/att-$F' \ "file_list_1_scanner = 0:1::$BINFALSE" \ 'file_list_1_policy = unknown:unknown:unknown:unknown' \ 'file_list_1 = .exe$' \ <>test.log |sed -e "s,$BINFALSE,/bin/false,g" >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case Content-Type: application/applefile; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; filenamE="evil.exe" Content-Transfer-Encoding: base64 $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA $BASE64_DATA ///BASE64/// EOF echo -n "Total base64 encoded data: " >>test.out grep '//BASE64' >test.out echo "*** Exit code was $? ***" >>test.out done sanitizer-1.76/testcases/sanitizer.boundary.t0000644000175000017500000000574007656434205017577 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin MIME-Version: 1.0 Con(FOO)tent-Type: MULT(comment)I(c2)PA(c3)RT/ALTERNATIVE; boundary=Boundary_(THIS_DOESNT_GET_DROPPED) Content-Transfer-Encoding: quoted-printable --Boundary_(THIS_DOESNT_GET_DROPPED) Content-type: text/plain; format=flowed; charset=us-ascii Content-disposition: attachment; name=evil file.exe Part one --Boundary_(THIS_DOESNT_GET_DROPPED) Content-type: text/plain; charset=us-ascii Part two --Boundary_(THIS_DOESNT_GET_DROPPED)-- EOF echo "*** Exit code was $? ***" >>test.out $ANOMY/bin/sanitizer.pl -nofprot $SAN_CONF \ 'feat_log_inline = 1' \ 'file_list_2_policy = accept' \ 'file_list_2 = (?i)\.txt$' \ 'file_list_7 = 0' \ 'feat_testing = 1' "header_rev = 0" <>test.log >>test.out From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=Boundary(THIS_GETS_DROPPED) Content-Transfer-Encoding: 8bit --Boundary Content-type: text/plain; format=flowed; charset=us-ascii Content-disposition: attachment; name=evil file.exe Part one --Boundary Content-type: text/plain; charset=us-ascii Part two --Boundary-- EOF echo "*** Exit code was $? ***" >>test.out $ANOMY/bin/sanitizer.pl -nofprot $SAN_CONF \ 'feat_log_inline = 1' \ 'file_list_2_policy = accept' \ 'file_list_2 = (?i)\.txt$' \ 'file_list_7 = 0' \ 'feat_testing = 1' "header_rev = 0" <>test.log >>test.out From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; Content-Transfer-Encoding: 8bit -------------------------------------------- This is crap -------------------------------------------- --NotABoundary --ReallyAFakeBoundary --Boundary Content-type: text/plain; format=flowed; charset=us-ascii Content-disposition: attachment; name="evil.exe" Part one --Boundary Content-type: text/plain; charset=us-ascii Part two --Boundary-- EOF echo "*** Exit code was $? ***" >>test.out sanitizer-1.76/testcases/sanitizer.defaults.t0000644000175000017500000001011107674042523017545 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: =?ISO-8859-1?Q?this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_long_subject_which_looks_a_bit_like_a_file_name.txt_with_more_than_one_extension.exe?= To: fake@example.com Content-Type: multipart/mixed; --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/ms-tnef; charset="evil" Content-Disposition: attachment Content-Transfer-Encoding: 8bit this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/x-snort-snort garbage; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit this is an unnamed file, which should be left alone --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7áéíóúýáéí.vbs.txt" Content-Transfer-Encoding: 8bit this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="wtc.exe" Content-Transfer-Encoding: 8bit Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="one.jpeg.exe" Content-Transfer-Encoding: 8bit Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="seven.scr" Content-Transfer-Encoding: 8bit Blacklisted by policy 7. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/something quite invalid Content-Disposition: attachment; filename="nine.txt" Content-Transfer-Encoding: 8bit Whitelisted by policy 9. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="eleven.zip" Content-Transfer-Encoding: 8bit Whitelisted by policy 11. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="thirteen.ppt" Content-Transfer-Encoding: 8bit Whitelisted by policy 13. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="fifteen.3ds" Content-Transfer-Encoding: 8bit Whitelisted by policy 15. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: audio/x-wav; charset="iso-8859-1" Content-Disposition: attachment; filename="mismatch.3ds" Content-Transfer-Encoding: 8bit MIME-type/filename mismatch, blocked by generic rule. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: audio/x-wav; charset="iso-8859-1" Content-Disposition: attachment; filename*="iso-8859-1''wtc%2eexe" Content-Transfer-Encoding: 8bit RFC2231 i18n-encoded blacklisted attachment name. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF echo "*** Exit code was $? ***" >>test.out (rm -f ./.tmp.* 2>/dev/null >/dev/null) >>test.out 2>&1 exit 0 sanitizer-1.76/testcases/sanitizer.exchange.t0000644000175000017500000000253507541665720017536 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="" Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: multipart/mixed; boundary="" -- Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; Content-Transfer-Encoding: 8bit bleh! ---- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF sanitizer-1.76/testcases/sanitizer.filenames.t0000644000175000017500000001373610274652356017722 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: this is a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/ms-tnef; charset="evil" Content-Disposition: attachment Content-Transfer-Encoding: 8bit this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/x-snort-snort; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit this is an unnamed file, which should be treated as if it were yellow --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt" Content-Transfer-Encoding: 8bit this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="red.txt" Content-Transfer-Encoding: 8bit this file is rather evil --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="orange.txt" Content-Transfer-Encoding: 8bit this file is pretty yucky --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="yellów.txt" Content-Transfer-Encoding: 8bit this file is somewhat suspicious --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="green.txt" Content-Transfer-Encoding: 8bit this file is nice --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="strange.txt" Content-Transfer-Encoding: 8bit this file is strange --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="scan me silly.txt" Content-Transfer-Encoding: base64 L2Jpbi9mYWxzZSBtZSE= --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="scan me happy.txt" Content-Transfer-Encoding: 8bit Yeah baby. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="replace.me" Content-Transfer-Encoding: 8bit Yeah baby. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1"; name="other.name.boo"; filename="fee.boo" Content-Disposition: attachment; filename="some.other.name.blrg"; name="rah.boo" Content-Description: Some fake filename .boo Content-ID: Alphabet.blrg Content-Transfer-Encoding: 8bit This file should get renamed, and since it has two name/filename attributes, both should get modified. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF echo "*** Exit code was $? ***" >>test.out cat test.out |sed -e "s,$BINFALSE,/bin/false,g" >test2.out mv -f test2.out test.out echo ./.tmp.* >>test.out 2>&1 rm ./.tmp.* >>test.out 2>&1 exit 0 sanitizer-1.76/testcases/sanitizer.force_hdr.t0000644000175000017500000000171607541665437017714 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Subject: my default subject X-My-Thing: yeah yeah Sender: xxx@example.com To: fake@example.com This is a test with neither a MIME-Version: header nor a Content-Type. EOF sanitizer-1.76/testcases/sanitizer.forwarded.t0000644000175000017500000001774410356114744017732 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From dood@xyz Mon Dec 11 18:30:26 2000 Return-Path: From: dood@xyz Received: from localhost by localhost with POP3 (fetchmail-5.0.0) for bre@localhost (single-drop); Mon, 11 Dec 2000 18:30:05 +0000 (GMT) Subject: Grf, argh. To: dood@zyx X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: Date: Thu, 7 Dec 2000 08:47:14 +0000 X-MIMETrack: Serialize by Router on Spacekow/K0W/IS(Release 5.0.3 (Intl)|21 March 2000) at 07.12.2000 08:47:20 MIME-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=002569AE003040198f9e8a93df938690918c002569AE00304019" Content-Disposition: inline --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable ----- Forwarded by dood H. Kristinsson/LMI/IS on 07.12.2000 08:47 ---= -- = =20 Dood D. = =20 Doodsson To: Grumblebutt 28.11.2000 cc: = =20 14:08 Subject: Grf, ARGH = =20 = =20 = =20 This is quote-printable text. ----- Forwarded by Dood D. Doodsson/K0W/IS on 28.11.2000 13:31 ---= -- = =20 John Perry = =20 Buzzard To: Dood D. Doodsson/= K0W/IS@KOW =20 cc: = =20 28.11.2000 Subject: :)))))))))))))) = =20 13:29 = =20 = =20 = =20 (See attached file: Munchbug.fh7)(See attached file: Munchbug.jpg)(See attached file: Munchbug.tif) = --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: application/octet-stream; name="=?iso-8859-1?Q?Munchbug.fh7?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Munchbug.fh7?=" Content-transfer-encoding: base64 QUdEMr64u80AANC5AAIABVRpbWVzAAAAAAgAHzE5ODguNzQyNjc1NzgxMiAxOTkwLjkwNTUxNzU3 ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQUlZXQUdEMgAA 1bw= --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: image/jpeg; name="=?iso-8859-1?Q?Munchbug.jpg?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Munchbug.jpg?=" Content-transfer-encoding: base64 Content-Description: JPEG File Interchange /9j/4AAQSkZJRgABAQAAAQABA//////DAAgGBgcGBQgHBwcJCQg//QNDAsL/DBkSEw8UHRofHh0a HBwgJCtwoAnDsIxpeDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy MjIy/////////////jIKKyMjIyMjIyMjIjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAEQAVQDASIA AhEBAxEB/8QAHwAAAQUBAQEBBJARNIAQEAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEI///xwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVVhkZWZnaGiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKAC iiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKK KKACiiigAoOo0AKKKKACiiigAoOo0AKLLKKKACiiigAoooKKKKACiiigAoOo0AKKKKACiiigAooo oAKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiig AoOo0A//2Q== --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: image/tiff; name="=?iso-8859-1?Q?Munchbug.tif?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Munchbug.tif?=" Content-transfer-encoding: base64 Content-Description: Tagged Image File Format TU0AKgAEO8j///////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////A//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// AAK9SAAC3SgAAv0IAAMc6AADPMgAA1yoAAN8iAADnGgAA7xIAAPcKAAD/AgABBvoAAAf4AAAH+AA //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// AB/gAAAf4AAAH+AAAB/gAAAf4AAAH+AAAB/gAAAA4AAAH+AAAB/gAAAf4AAAH+AAAB/gAAAf4AAA //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// H+AAAB/gAABf4AAAH+AAAB/gBAAf4ACAH+AAAB/gADAf4ABAH+AAAB/gAAAf4AAAH+AAAB/gAAAf 4AAAH+AAAB/gABAf4BIAAAAAIAAAEgADAAAgAAA= --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable ---- Forwarded message from Bjarni. R. Einarsson ----- To: Bjarni From: Logi Ragnarsson Subject: Jolaflug Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Splat --45Z9DzgjV8m4Oswq Content-Type: image/jpeg Content-Disposition: attachment; filename="jolaflug.jpg.unk" Content-Transfer-Encoding: base64 X9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9 PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhC Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wAAR CAGwAkADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA zK8SnqACKzdao/dkdFShh4w5qbbY+6WJ1Bm25UYBY9Ky5jGrfIykexqWa1toOzzP6k4FV2Xc 2dqr7CqiuxxuwwyrTTKewp/lAU4RqO1WIgLv2pQsjnAzT2D7/lAxUoYK2RRYLk9vpxZAZZNv sBzT7iwjjhd1dyVGecU5b+NUAwxNQz35lRkCABhjk5qUpD0KR5ptPpp4NXJCixKDRR2qDQaK U0lONAhvanwkCVc9CcH8ab3pD3pgSPGYpCjfh70lT3H7yGOcdhg/5/OpYYOMsM0RlpqTJalT HPSlEbnojH8K0VIAwsQH0FSI3OCPzo5xWMsQyf3CPwqRbVz1KitPIPYfnTeeccZqedhY/9k= --45Z9DzgjV8m4Oswq-- ---- End forwarded message ---- I'm a spooky space guy. Boo. Boooo. --0__=002569AE003040198f9e8a93df938690918c002569AE00304019-- EOF sanitizer-1.76/testcases/sanitizer.fprotd.t0000644000175000017500000000332410356115514017234 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <&2 ./rot13 <$TEST_RESULTS/sanitizer.fprotd.ok.rot13 >test.out exit 0 fi if [ "$(/usr/local/bin/f-prot -verno |grep Program)" != "Program version: 4.6.3" ]; then # Incorrect version of F-Prot installed, fake. echo -n "SKIPPED: Test assumes F-Prot 4.6.3. " >&2 ./rot13 <$TEST_RESULTS/sanitizer.fprotd.ok.rot13 >test.out exit 0 fi # Obfuscated so it does not trigger the scanner... export EIC='X5O!P%@AP[4\PZX54(P^' export ICA=')7CC)7}$EICAR-STANDARD' export CAR='-ANTIVIRUS-TEST-FILE!$H+H*' for ARG in -nofprot -yesfprot; do $ANOMY/bin/sanitizer.pl $ARG $SAN_CONF \ 'header_rev = 0' \ 'feat_testing = 1' \ 'feat_log_stderr = 1' \ 'feat_log_inline = 2' \ 'feat_log_trace = 1' <>test.log |perl -ne 'next if (/(^\s\s+$|Time:|Searching:|DEF created|version:|scanning report)/); s/\/tmp\/\S+/FILE/; print' >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Elephant man! $ARG To: fake@example.com Content-Type: application/octet-stream Content-Transfer-Encoding: 8bit $EIC$ICA$CAR EOF done sanitizer-1.76/testcases/sanitizer.logging.t0000644000175000017500000000471410252331545017367 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat < Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAH! To: Log test MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: quoted-printable --abcdefg Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: Base64 VGhpcyBpcyBhIHRleHQgdGVzdC4gIEhlcmUgY29tZXMgdGhlIGxvZy4uLiBJIGhvcGUuCg== --abcdefg Content-type: text/html; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7bit blah Here comes the log, I hope: --abcdefg-- EOF echo "*** Exit code was $? ***" done done) 2>test.log >test.out sanitizer-1.76/testcases/sanitizer.mime_depth.t0000644000175000017500000000677607541665574020111 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case with a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long harmless subject. Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing= --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: multipart/appledouble; x-mac-creator="5068466C"; x-mac-type="4A504547"; boundary="=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU" Content-Disposition: attachment; filename="20802160428.jpg" --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/applefile; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; Content-Transfer-Encoding: base64 AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4/ 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I lvskBb+HkHqDj6/SvQxHBORV429jy+jkv1a/A8yPFmaRd5VOb1S/Sx6yn7y2NzA8 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB rqtM1qPXiLOeOK01DbtRh8kdw/8Ad54Rz2/hPT5cAH85zrgKvgouvgZOpFbxfxL0 6P8AB+p9hkvGOHxVRUcVHkk+v2X/AJFlpRHFvXBPaqUtw86hpOccdO1KztEWikR4 --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/octet-stream; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; filename="20802160428.jpg" Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEASABIAAD//gAsQ29tcHJlc3Npb24gYnkgU3Rvcm0gVGVj aG5vbG9neagsIEluYy42Nk5x/+4ADkFkb2JlAGWAAAAAAf/tABBTdG9ybQABAAEB AEgASP/bAIQABQMEBAQDBQQEBAYFBQYIDQgIBwcIEAsMCQ0TERQUExESEhUYHhoV Fh0XEhIaJBsdHyAiIiIUGSUoJSEoHiEiIQEFBgYIBwgPCAgPIRYSFiEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh/8AAEQgB 4AJzAwEiAAIRAQMRAf/EAaIAAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKCxAA AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAk M2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlq c3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6AQADAQEBAQEBAQEBAAAA --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU-- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF echo "*** Exit code was $? ***" >>test.out sanitizer-1.76/testcases/sanitizer.msg-crlf.t0000644000175000017500000000351610027641412017447 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat < characters within headers (a possible Outlook exploit). tac CRHACK=$(perl -e 'print "\rX-Evil-Header: boo";') # Obfuscation, to avoid triggering over-sensitive virus scanners. CONTENT=Content EXESTART=TVqQAAMAAAAEAAAA rm -f ./.tmp.* test.log test.out for a in 0 1 2 3; do cat <>test.log >>test.out Return-Path: Date: Wed, 15 Aug 2001 13:11:46 +0000 From: Bjarni To: dood@dood.com Subject: Monkeygame Message-ID: <02001511533181391.A16415@klaki.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary=nFreZHaLTZJo0R7j X-Junk: $CRHACK X-Mailer: Mutt 0.95i --nFreZHaLTZJo0R7j Content-Type: text/plain; charset=us-ascii X-Junk: $CRHACK Testing --nFreZHaLTZJo0R7j $CONTENT-Type: application/x-msdos-program $CONTENT-Disposition: attachment; filename="pong.exe" $CONTENT-Transfer-Encoding: base64 $EXESTART//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4g RE9TIG1vZGUuDQ0KJAAAAAAAAAAXx9XqU6a7uVOmu7lTpru5u7mwuVKmu7nQurW5Q6a7udS6 ublcpru5U6a6uQemu7kxuai5VKa7ubu5sbkGpru5UmljaFOmu7kAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATkIxMAAA AADLocM4RwAAAE46XHRtcFxmb3JyaXQyXERlYnVnXGZvcnJpdDIucGRiAA== --nFreZHaLTZJo0R7j-- EOF echo "*** Exit code was $? ***" >>test.out rm -f ./.tmp.* done exit 0 sanitizer-1.76/testcases/sanitizer.partial.t0000644000175000017500000000463107541665672017415 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: message/partial; id="test"; number=1; total=2 Content-Transfer-Encoding: 8bit From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: text/plain; Content-Disposition: attachment; filename="evil.com" Evil dot com! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF $ANOMY/bin/sanitizer.pl $SAN_CONF \ 'header_rev = 0' \ 'feat_testing = 1' \ 'file_list_2_policy = accept' \ 'file_list_2 = (?i)\.(txt|html)$' \ 'feat_no_partial = 1' \ 'feat_log_inline = 1' \ 'feat_log_stderr = 0' <>test.log >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: message/partial; id="test"; number=2; total=2 Content-Transfer-Encoding: 8bit More evil! EOF sanitizer-1.76/testcases/sanitizer.pgptext.t0000644000175000017500000000305507656755526017460 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <>test.log >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org hQEOA1USfm+7kflAEAP8DDDl0gai5IiMzT2h8cCDsmdAfuTmOPHmU+Ztfwk4ES5a WBYqnDFmjwRgemo2kHZ6Zzy1va8sUeOg33or9Cnaz78cIuk9dt0rhKZpeXlt80HT QKVJoVqeiSkOfpktRwhH3igJHcjAx5SNFq6BwL6ku/vj2rQHtIe1qBq2t5QWdGUE AJfMg3kNHKIY2ww98sI4NpBIO9HPIOJ5+Yn137PwbIkoomvuxEX7NpUW nusrKdWnrD0dlgfbIt743D/hU38tjv2M1yoLJygA3RjryM4Tp+uzKMVC+9RyoyXE MK9ZBoSihWDuFhWi/2NergXF0cM2zN87vNGhVNP5w1ZchQEOA/W9zIlSOtkfEAP9 =38M2 -----END PGP MESSAGE----- EOF echo "*** Exit code was $? ***" >>test.out done exit 0 sanitizer-1.76/testcases/sanitizer.plugin.t0000644000175000017500000000355307674410045017246 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <entry("bogus", SLOG_WARNING|SLOG_INFO, undef, "Bogus scan routine invoked, args: ".join(", ", @_)); return 2; } my $san = new Anomy::Sanitizer; $san->register_scanner("bogus", \&scan); $san->configure("feat_log_inline = 1", "feat_log_stderr = 1", "file_name_tpl = ./tmp.plugin-test", "msg_usage = foo", "msg_signature = foo", "feat_log_xml = 1", "before ". time() ." feat_testing = 0", "after ". time() ." feat_testing = 1", "file_list_rules = 1", "header_rev = 0", "feat_files = 1", "file_list_1_scanner = 0:1:2:builtin/bogus %FILENAME %REPLY_TO %ERRORS_TO %HEADER(subject)", "file_list_1_policy = drop:drop:drop:drop", "file_list_1 = .*") && die $san->error(); print grep(!/tnef/, split(/^/m, $san->get_config_text())), "\n\n"; exit($san->sanitize(*STDIN, *STDOUT)); ' <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Plugin test case. Content-Type: text/plain; This is a harmless attachment which will get killed. EOF echo "*** Exit code was $? ***" >>test.out rm -f ./tmp.plugin-test sanitizer-1.76/testcases/sanitizer.rev1_58.t0000644000175000017500000000475507674076620017155 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/html; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit This file has no name, but is HTML. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- Content-Type: application/octet-stream; charset="evil" Content-Disposition: attachment; filename="evil.exe" Content-Transfer-Encoding: 8bit this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- This should get appended as postamble --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Disposition: attachment Content-Transfer-Encoding: quoted-printable This file has no name, but is text. Here's my QP test. =20 $QPDATA --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/foobar; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit This file has no name, but is binary. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF echo "*** Exit code was $? ***" >>test.out exit 0 sanitizer-1.76/testcases/sanitizer.rev1_60.t0000644000175000017500000000707607674104062017135 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out Date: Tue, 27 May 2003 12:19:14 GMT From: aves-test-1054037954@bre.klaki.net Message-Id: <200305271219.h4RCJE921460@is105.filter.complex.is> To: bre@klaki.net Subject: Póstsíupróf (EXE skrá), beta0.is105.filter.complex.is, 12:19 27-05-2003Content-Type: multipart/mixed; boundary="filter-test-boundary" Content-Type: multipart/mixed; boundary="filter-test-boundary" Content-Disposition: inline --filter-test-boundary Content-Type: multipart/alternative; boundary="filter-test-2bound" Content-Disposition: inline --filter-test-2bound Content-Type: text/un.known+foo; charset=iso-8859-1 Content-Disposition: inline Þetta er tilraunaskeyti til að láta reyna á uppsetningu póstsíu fyrir bre@klaki.net, sent gegnum vélina beta0.is105.filter.complex.is. Þetta skeyti er með eitt viðhengi sem þykist vera .EXE skrá. -- Bjarni R. Einarsson / FRISK Software International --------------------------v-------------------------------------------- Email: xxx@xxxxx.is | Company home page: http://www.frisk.is/ Phone/SMS: +354-XXXXXXX | Personal home page: http://bre.klaki.net/ --filter-test-2bound Content-Type: text/html; charset=iso-8859-1 Content-Disposition: inline Þetta er tilraunaskeyti til að láta reyna á uppsetningu póstsíu fyrir bre@klaki.net, sent gegnum vélina beta0.is105.filter.complex.is.

Þetta skeyti er með eitt viðhengi sem þykist vera .EXE skrá. 

--
Bjarni R. Einarsson                      / FRISK Software International
--------------------------v--------------------------------------------
Email:     xxx@xxxxx.is   | Company home page:  http://www.frisk.is/
Phone/SMS: +354-XXXXXXX   | Personal home page: http://bre.klaki.net/
--filter-test-2bound-- --filter-test-boundary Content-Type: text/plain; charset=us-ascii; name="foo.txt" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="foo.txt"; filename="test.exe"; filename="foo.txt" I'm a harmless fake .exe file. --filter-test-boundary Content-Type: application/x-ms-dos-executable; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="foo.txt"; I'm another harmless fake .exe file. --filter-test-boundary Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Description: evil.exe Content-Disposition: attachment I'm another harmless fake .exe file. --filter-test-boundary Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit Content-ID: > Content-Disposition: attachment I'm another harmless fake .exe file. --filter-test-boundary Content-Type: application/pdf; charset=us-ascii Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="foo.txt"; Content-ID: This is text file with a PDF MIME type. --filter-test-boundary-- EOF echo "*** Exit code was $? ***" >>test.out exit 0 sanitizer-1.76/testcases/sanitizer.rev1_64.t0000644000175000017500000000246010000560246017114 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out Date: Tue, 27 May 2003 12:19:14 GMT From: aves-test-1054037954@bre.klaki.net Message-Id: <200305271219.h4JE921460@is105.filter.complex.is> To: bre@klaki.net Subject: This is annoying Content-Type: multipart/mixed; boundary="filter-test-boundary" --filter-test-boundary Content-Type: text/plain; filename="elephant.txt" Begin 2004 with a kick to the head! Yes indeed - this would cuase infinit loops before, hope it doesn't do so no mo'. --filter-test-boundary Content-Type: text/plain; filename="stupid.pdf" Content-Disposition: inline Content-Transfer-Encoding: Quoted-Printable This is fake binary data which should: a) Be treated as Quoted-Printable from a system with CRLF as the newline standard. b) Be output as Base64 data, so it makes it intact to the recipient. --filter-test-boundary-- EOF echo "*** Exit code was $? ***" >>test.out exit 0 sanitizer-1.76/testcases/sanitizer.rev1_71.t0000644000175000017500000001404410245113634017121 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Date: Wed, 25 May 2005 06:37:24 -0400 From: "Reilly" To: , , Subject: Fwd: FW: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part9FBC4474.1__=" --=__Part9FBC4474.1__= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: quoted-printable Content-Disposition: inline >>> Barb 5/5/2005 5:20 PM >>> ---------- Forwarded message ---------- From: jolura@roobc.com Date: May 3, 2005 9:13 AM Subject: FW: To: barance@gxmail.com, dood@zbeo.com, deek@x.mail.co.uk, kenall@rors.om, sylvia@yahoo.ct=20 Ever wonder what stuffed animals do when you're not watching? __________________________________________________________________________= ________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier =E9lectronique est confidentiel et prot=E9g=E9. L'exp=E9diteur = ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) d=E9sign=E9(s) est interdite. Si vous recevez ce courrier =E9lectronique par erreur, veuillez m'en aviser imm=E9diatement, par retour de courrier =E9lectronique ou par un autre moyen. This message is intended only for the addressee, it may contain privileged and/or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original message. E-mail transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of this e-mail transmission. If verification is required please request a hard-copy version. Thank you. --=__Part9FBC4474.1__= Content-Type: video/mpeg; name="Blaupunkt_Pimp_my_Rid_422B9.mpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Blaupunkt_Pimp_my_Rid_422B9.mpg" AAABuiEAAQAJgBlTAAABuwAMgBlTBuH/4OBKwMAgAAABvgfcD/////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// wQM4EDAAdgBmAEIA/Adhu68gCqU4orcwohZkIYReYAC4EBAAEAAVBhSAEwBoGJSjAE6cNT+Zkbn CrDgxG7MswDWH+AMHje8X1AAgBAWAAqACoorIAdYB2TUMEhrfPh2wWu5ZCAoUQikYMKKKQjKyNtt WgD0AQgDgAZZgE4CcMDC1gKM5ZNccBgp04P22NuuAFIIE4AwALkFlAIAwMDDwLgVTg0vsagmEzjA CMNARQ+EQ3vhFk1AZhpZaCtl/p4zbD/+q2gC0EC8AEAAu3wAfgByGocCwDpkofGch/oIWBJ/fxV6 0AVggWwAvACsNAbEzgMQDX/gWISEct0mDAKEzYoEoD4vyADYEBSBAxQQNQlE0BiVgBwA6LzjQDVK Sg3YUA6RuGheKOm/S7RUXOAHoIGMleIQwMPJAF0hfzE4PuyGgDUAvAG5NGEJBDAqGp4HskNSRWDm 150AeAgHgA4AQMkBiksA1LNJfJRMAIkLC0+5wYAhAHQBgCEDAMCiv8CICgJgwl8BGBjNhKfpDIv1 ABkCAbAC0Av+LAYpKATFcEX85LDQ4pAAM/rjAD4EA7AGABoyQKksBCWg/k1LFAkgaGwX/ZQGIA1A qV2SAVAGTnYmpAKwHfAVAUIX5PT60AOgDUAx7pDCGXjyWAZl8MDAEQCACjfjwFKUQwqd5CgDMAeA GWALAHWK/wIgKAmDBrCQMYZgEf1oJoAjJoaXwwCgYhCRwIfwQwSQUhfoKBI/A3VJMAFQY2wFSaWQ 0AigqMAVAOsCQCkwY4JH6lNmDAwB0AaBjFIJgFCsO2KRsLZsFxF9PgDwAbgD/uTeBhA8BiWS+HAO iEMJmARpSLsYDoAZJAoUM4BqA7+YkFYmEIrAKkBgZvgt4hoAXgDYmKAD1Ab8fiEgshsCSDILiGgB iAYJAoQyyYTeWGlBiS8TOUGlBqRiOpBQahCU9x28RfogBeAMQKlAJwB6A6KAdgOyyEAgKYtBZNJa EhvAcZ2c/59dsAUAJiaBUmjcGBpNSGgVDEfBiBpYGCkjS+wvtjNUAOwMgUAHSA0Cr4CoA9AdlgVD Ru40lFLb7rJPJ14kASAIADABMAXAOgA2QUMLDCi+XsEl9KN/0891nGQeuVQwEHtBA1QB2yADAAaA JgBsTG2wDsAbkPEMhtsScAaAGhYxxSQE6IggmYFQB23AFIAtAHoA93PAYEwNABMAZL5wBYAgJSS0 YCRDDQ09dhcDp1BuQjpT2Rsv9Wwn9WD4hd2gDYAQADQAWBmJgBgAZAJgECNjiYTCkPx/bb/iz6m2 gJwQMQASAUJvAoAwAdhoA1AduwBUANgwsAxTkgSSWQtwKEzgj/YaVPwBmCBoADXghBgA4AQAComd 9gKgDkmgByA7OPADYA0LQTNwFYCHi9E757saoecTzrUAPwQMoALgBwTeA6DQB+TCGAn3YAOAEGLA NQELqVwHQCbEMm4T0bC64EEz4A9WAJwBiAOQBi//4FAG4AbAGTASADwAyxCQGoMwBakm/4/2UAcA CwAbACwmYmAFwBkAmANAzAeAoQigzcX8Vs4fKV6QQdwAJwAAAbohAAWsRYAZUwAAAeAH7v////// /////2BKDwBz/gBoAF3AYFJbYBOAKwKoAdFDD8koA0AoAVgV4JH5yF2HRATgCYAWgOyYWBUAUgBK GgOgKFI6Q0CgA0DEADoCmRn4FwGJfAdgGvY7komhjjjLANI4eR7uggYwA/AYgBOAP0gDoChfKAMA DQNxRNbpSgB2AxWrlBm6SaBjhBRCKdKS9wkmJRkzVjwDyawqoriwBmAPADQN4AIADBADsmgi/BDx //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////8AAAG5 --=__Part9FBC4474.1__=-- EOF echo "*** Exit code was $? ***" >>test.out exit 0 sanitizer-1.76/testcases/sanitizer.rev1_75.t0000644000175000017500000000457710356121103017130 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out Message-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Date: Wed, 25 May 2005 06:37:24 -0400 From: "Reilly" To: , , Subject: Fwd: FW: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part9FBC4474.1__=" --=__Part9FBC4474.1__= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Disposition: inline MZevilfile in disguise! --=__Part9FBC4474.1__= Content-Type: image/jpeg; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="homey.pdf"; This is neither an HTML file nor a PDF. --=__Part9FBC4474.1__= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="homey.jpg"; This isn not a jpeg. --=__Part9FBC4474.1__= Content-Type: image/jpeg; charset=ISO-8859-1 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wmf-file.jpg"; AQAJAAADUh8AAAYAPQAAAAAAEQAAACYGDwAYAP//////ABAAAAAAAAAAAADAA4UA 0AIAAAkAAAAmBg8ACAD/////AgAAABcAAAAmBg8AIwD/////BAAbAFROUFAUACAA uAAyBgAA//9PABQAAABNAGkAAAAKAAAAJgYPAAoAVE5QUAAAAgD0AwkAAAAmBg8A CAD/////AwAAAA8AAAAmBg8AFABUTlBQBAAMAAEAAAABAAAAAAAAAAUAAAALAgAA AAAFAAAADALQAsADBAAAAAQBDQAHAAAA/AIAAAAAZgAAAAQAAAAtAQAACQAAAPoC --=__Part9FBC4474.1__= Content-Type: image/jpeg; charset=ISO-8859-1 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wmf-file2.jpg"; AQAJAAADUh8AAAYAPQAAAAAAEQAAACYGDwAYAP//////ABAAAAAAAAAAAADAA4UA 0AIAAAkAAAAmBg8ACAD/////AgAAABcAAAAmBg8AIwD/////BAAbAFROUFAUACAA uAAyBgAA//9PABQAAABNAGkAAAAKAAAAJgYPAAoAVE5QUAAAAgD0AwkAAAAmBg8A CAD/////AwAAAA8AAAAmBg8AFABUTlBQBAAMAAEAAAABAAAAAAAAAAUAAAALAgAA AAAFAAAADALQAsADBAAAAAQBDQAHAAAA/AIAAAAAZgAAAAQAAAAtAQAACQAAAPoC --=__Part9FBC4474.1__=-- EOF echo "*** Exit code was $? ***" >>test.out exit 0 sanitizer-1.76/testcases/sanitizer.rfc822.t0000644000175000017500000000237207541665645016767 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="this.is.ev(with a comment)il" Content-Transfer-Encoding: 8bit X-MAC-Something: Used by Eudora #!/bin/bash # blah blah blah blah blah blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- EOF sanitizer-1.76/testcases/sanitizer.tnef.t0000644000175000017500000002177710046504633016706 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <&2 cat $TEST_RESULTS/sanitizer.tnef.ok >test.out exit 0 fi if [ ! -e $ANOMY/bin/Anomy/TNEFStream.pm ]; then # ANOMY::TNEFStream not installed, fake a successful run. echo -n "SKIPPED: ANOMY::TNEFStream not installed. " >&2 cat $TEST_RESULTS/sanitizer.tnef.ok >test.out exit 0 fi # Obfuscation so our distributed package does not trigger AV products... SKIPPED1="eJ8+IgYEAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5N" SKIPPED2="aWNyb3NvZnQgTWFpbC5Ob3RlADEIAQ2ABAACAAAAAgACAAEGgAMADgAAANIHBAAZAAUADwAA" SKIPPED3="AAQADgEBA5AGAHAEAAAjAAAACwACAAEAAAALACMAAAAAAAMAJgAAAAAACwApAAAAAAALACsA" SKIPPED4="AAAAAAMALgAAAAAAAwA2AAAAAAAeAHAAAQAAADgAAABjb21wYW5pZXMgbWVyZ2UgdG8gZm9y" $ANOMY/bin/sanitizer.pl -fprot $SAN_CONF \ 'header_rev = 0' \ 'feat_testing = 1' \ 'feat_kill_tnef = 1' \ 'file_list_2_policy = unknown:drop:drop:defang' \ 'file_name_tpl = ./.tmp.$$$' \ 'feat_log_inline = 1' \ 'feat_log_stderr = 0' <test.log >test.out From bre Fri May 17 19:33:45 2002 Return-Path: Received: (from bre@localhost) by monique.frisk-software.com (8.11.2/8.11.2) id g4HJXjK19121 for bre@monique.frisk-software.com; Fri, 17 May 2002 19:33:45 GMT Date: Fri, 17 May 2002 19:33:45 +0000 From: =?iso-8859-1?Q?Bjarni_R=FAnar_Einarsson?= To: =?iso-8859-1?Q?Bjarni_R=FAnar_Einarsson?= Subject: Foo!!! Message-ID: <20020517193345.A14401@monique.frisk-software.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i Status: RO Content-Length: 7496 Lines: 113 --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ldkj --oyUTqETQ0mS9luUI Content-Type: application/ms-tnef Content-Disposition: attachment; filename="winmail.dat" Content-Transfer-Encoding: base64 $SKIPPED1 $SKIPPED2 $SKIPPED3 $SKIPPED4 bSBuZXcgJ0RpZ2l0YWwgTWVkaWEgR3JvdXAnLi4uLi4uAAIBcQABAAAAIAAAAAHB5fBMeCc8 kKGqg0ZNoyvcUuKRuJAAB+vUVwF/xzMAAgEdDAEAAAAaAAAAU01UUDpEQVZJRE1ARE1HRVVS T1BFLkNPTQAAAAsAAQ4AAAAAQAAGDgC6/sMP7MEBAgEKDgEAAAAYAAAAAAAAAGiTt/R6DnhL tFCRa2DuplLCgAAAHgBCEAEAAABKAAAAPDdFODJENjJCQjFFRUE5NEU5NzM1NzYwMzYzQjQx MEZGMDFFQjAwQG1vcnBoZXVzLmhlYWRxdWFydGVyLnNtYXJ0dnIuY29tPgAAAAsAAYAIIAYA AAAAAMAAAAAAAABGAAAAAAOFAAAAAAAAAwADgAggBgAAAAAAwAAAAAAAAEYAAAAAEIUAAAAA AAALAASACCAGAAAAAADAAAAAAAAARgAAAAAUhQAAAQAAAAMAB4AIIAYAAAAAAMAAAAAAAABG AAAAAFKFAAAnagEAHgAJgAggBgAAAAAAwAAAAAAAAEYAAAAAVIUAAAEAAAAEAAAAOS4wAB4A CoAIIAYAAAAAAMAAAAAAAABGAAAAADaFAAABAAAAAQAAAAAAAAAeAAuACCAGAAAAAADAAAAA AAAARgAAAAA3hQAAAQAAAAEAAAAAAAAAHgAMgAggBgAAAAAAwAAAAAAAAEYAAAAAOIUAAAEA AAABAAAAAAAAAAsADYAIIAYAAAAAAMAAAAAAAABGAAAAAIKFAAABAAAACwAYgAggBgAAAAAA wAAAAAAAAEYAAAAABoUAAAAAAAADABmACCAGAAAAAADAAAAAAAAARgAAAAABhQAAAAAAAEAA G4AIIAYAAAAAAMAAAAAAAABGAAAAAGCFAAAAAAAAAAAAAAsAIoAIIAYAAAAAAMAAAAAAAABG AAAAAA6FAAAAAAAAAwAjgAggBgAAAAAAwAAAAAAAAEYAAAAAEYUAAAAAAAADACWACCAGAAAA AADAAAAAAAAARgAAAAAYhQAAAAAAAAIB+A8BAAAAEAAAAGiTt/R6DnhLtFCRa2DuplICAfoP AQAAABAAAABok7f0eg54S7RQkWtg7qZSAgH7DwEAAABzAAAAAAAAADihuxAF5RAaobsIACsq VsIAAFBTVFBSWC5ETEwAAAAAAAAAAE5JVEH5v7gBAKoAN9luAAAAQzpcV0lORE9XU1xBcHBs aWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxPdXRsb29rXG91dGxvb2sucHN0AAADAP4PBQAAAAMA DTT9NwAAAgF/AAEAAAA0AAAAPEhJRUxMRUZBUEpQSU5IQktOTUZNQ0VDUENHQUEuZGF2aWRt QGRtZ2V1cm9wZS5jb20+AOXDAgKQBgAOAAAAAQD/////IAAgAAAAAAA9BAITgAMADgAAANIH BAAZAAUADwAGAAQAFAECEYAGAJQNAAABAAkAAAPKBgAAAAAhBgAAAAAFAAAAAQL///8ABQAA AAkCAAAAAAQAAAAHAQEAZQAAAEELxgCIACAAIAAAAAAAIAAgAAAAAAAoAAAAIAAAACAAAAAB AAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP///wAAAAD/AAAA/wAAAP8AAAD/AAAA /wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8A AAD/AAAA/wAAAP8AAAB/AAAAPwAAAB8AAAAPAAAABwAAAYMAAAPBAAAH4AAAD/AAAB/4AAA/ /wQAAAAHAQEABQAAAAkCAQAAAAUAAAABAgEAAAAFAAAAAQL///8ABQAAAAkCAAAAAAQAAAAH AQMAIQYAAEELRgBmACAAIAAAAAAAIAAgAAAAAAAoAAAAIAAAACAAAAABABgAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgICAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j/ //j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j/ //j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j///j///j/ //j///j///j///j///j///j///j///j///j///j///j///j///j///j///j/wMDAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j///j///j///j///j///j///j/ //j///j///j///j///j///j///j///j///j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAgICA//j///j///j///j///j///j///j///j///j///j///j///j///j///j/ //j///j///j///j///j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA //j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j/ //j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j/AAAA AAAAAAAA//j///j///j/AAAAAAAAAAAA//j///j///j/AAAAAAAAAAAAAAAA//j///j/wMDA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j/AICAwMDAAICAAAAAAAAA AAAAAPj/wMDAAPj/AAAAAAAAAAAAAICAwMDAAICAAAAA//j///j/wMDAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAgICA//j///j///j/AICAAPj/wMDAAPj/wMDAAPj/wMDAAPj/wMDA APj/wMDAAPj/wMDAAPj/AICAAAAA//j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgICA//j///j///j///j/AICAAPj/wMDAAICAAICAAICAAICAAICAAICAAICAAICAAPj/ AICAAAAA//j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j/ //j///j///j/AICAAPj/AAAA//j///j///j///j///j///j/AICAwMDAAAAA//j///j///j/ //j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j///j/AICA wMDAAAAAAAD///j///j///j///j///j/AICAAPj/AAAA//j///j///j///j/wMDAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j/AICAAICAAPj/AAAAAAD/AAD/ AAAAAAAAAAAAAAAAAAAAAAAAAICAAAAA//j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAgICA//j///j///j///j/AICAAPj/wMDAAAAAAAD/AAAAAACAAACAwMDAwMDA AAAAAAAAAAAAAAAA//j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA //j///j///j///j/AICAAICAAPj/AAAAAAD/AAD/AAD/AAD/AACA//j/wMDAAAAAAAAAAAAA //j///j///j/wMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j/ //j/AICAwMDAAAAAAAD/AAD/AAD/AAD/AAD/AACAgICAgICAAAAAAAAA//j///j///j/wMDA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j///j/AICAAPj/AAAA AAD/AAD/AAD/AAD/AAD/AAD/AICAgICA//j/APj/AAAA//j///j/wMDAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j/AICAAPj/wMDAAAAAAAD/AAD/AAD/AAD/ AAD/AAD/AICAAPj/gICA//j/APj/AAAAAAAAwMDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAgICA//j///j///j/AICAAICAwMDAAPj/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAwMDA AICAgICA//j//wAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j/ //j/AICAwMDAAPj/wMDAAPj/wMDAAPj/wMDAAPj/wMDAAPj/wMDAAPj/wMDAAICAgAAA//gA /wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j/AICAAPj/AICA AICAAICAAICAAICAAPj/AICAAICAAICAAICAAICAAPj/AICAAAAAgAAA//gA/wAA/wAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j/AICAAICAAICA//j///j///j/AICA AICAAICA//j///j///j/AICAAICAAICAAAAA//j/gAAA//gA/wAA/wAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAgICA//j///j///j///j///j///j///j///j///j///j///j///j///j///j/ //j///j///j///j///j///j///j/gAAA//gA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAAAAgICA //j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j/ //j///j///j/wMDAgAAA//gA/wAA/wAAAAAAAAAAAAAAAAAAAAAAgICA//j///j///j///j/ //j///j///j///j///j///j///j///j///j///j///j///j/gICAAAAAAAAAAAAAAAAAAAAA AAAAgAAA//gA/wAA/wAAAAAAAAAAAAAAAAAAgICA//j///j///j///j///j///j///j///j/ //j///j///j///j///j///j///j///j/gICA//j///j/wMDAgICAAAAAAAAAAAAAgAAA//gA /wAA/wAAAAAAAAAAAAAAgICA//j///j///j///j///j///j///j///j///j///j///j///j/ //j///j///j///j/gICA//j/wMDAgICAAAAAAAAAAAAAAAAAAAAAgAAA//gA/wAA/wAAAAAA AAAAgICA//j///j///j///j///j///j///j///j///j///j///j///j///j///j///j///j/ gICAwMDAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAA//gA/wAA/wAAAAAAgICA//j///j/ //j///j///j///j///j///j///j///j///j///j///j///j///j///j/gICAgICAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAA//gA/wAAAAAAgICA//j///j///j///j///j///j/ //j///j///j///j///j///j///j///j///j///j/gICAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAgAAAgAAAAAAAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAABAAAAAcBAQAFAAAACQIBAAAABQAAAAECAQAAAAMAAAAAAJgiAg+ABgBHAAAA WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9JEVJQ0FSLVNUQU5EQVJELUFOVElWSVJVUy1U RVNULUZJTEUhJEgrSCoKCgosEgIQgAEADQAAAGltYWdlMDAxLmpwZwADBAIFkAYAsAEAABMA AAADACAOVPYAAB4AATABAAAADQAAAGltYWdlMDAxLmpwZwAAAAACAQI3AQAAAAAAAAAeAAM3 AQAAAAUAAAAuanBnAAAAAAMABTcBAAAAHgAHNwEAAAANAAAAaW1hZ2UwMDEuanBnAAAAAAMA Czf/////HgAONwEAAAALAAAAaW1hZ2UvanBlZwAAHgASNwEAAAAfAAAAaW1hZ2UwMDEuanBn QDAxQzFFQzE4LjI4MDg3RTIwAAADAPp/AAAAAEAA+38AQN2jV0WzDEAA/H8AQN2jV0WzDAMA /X8AAAAACwD+fwEAAAADACEORSACAAIB+A8BAAAAEAAAAGiTt/R6DnhLtFCRa2DuplICAfoP AQAAABAAAABok7f0eg54S7RQkWtg7qZSAgH7DwEAAABzAAAAAAAAADihuxAF5RAaobsIACsq VsIAAFBTVFBSWC5ETEwAAAAAAAAAAE5JVEH5v7gBAKoAN9luAAAAQzpcV0lORE9XU1xBcHBs aWNhdGlvbiBEYXRhXE1pY3Jvc29mdFxPdXRsb29rXG91dGxvb2sucHN0AAADAP4PBwAAAKFl --oyUTqETQ0mS9luUI-- EOF sanitizer-1.76/testcases/sanitizer.uu-rfc822.t0000644000175000017500000000650207541665513017407 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit This is the text part that contains a uuencoded message with some really evil, icky headers that need truncating. begin 664 testfile this is not uuencoded data begin testfile M1G)O;2!X>'A 97AA;7!L92YC;VT@(%1H=2!!=6<@(#,@,#\$!E>&%M<&QE+F-O;3X*4F5C96EV960Z(&9R M;VT@97AA;7!L92YC;VT@*')O;W1 97AA;7!L92YC;VT@6S\$T.2XQ-#0N,C0U M+C5=*0H)8GD@97AA;7!L92YC;VT@*#@N.2XS+S@N.2XS*2!W:71H(\$533510 M(&ED(\$A!03 Q,S U"@EF;W(@/&)R94!E>&%M<&QE+F-O;3X[(%1H=2P@,R!! M=6<@,C P," P-SHS,CHP,R!'350*1G)O;3H@>'AX0&5X86UP;&4N8V]M"D1A M=&4Z(%1H=2P@,R!!=6<@,C P," P-CHS.3HU.2!)3D-214%\$24),64Q/3D=4 M24U%6D].149)14Q\$"DUE'AX M0&5X86UP;&4N8V]M"E1O.B!F86ME0&5X86UP;&4N8V]M('=I=&AA$FILE2 || exit 2 This is a simple replacement file. Oogabooga. This should get encoded: Þæöð! tac # Cleanup cd / rm -rf "$FILE" echo Anomy-FileScan-NewFile: $FILE2 echo Anomy-FileScan-NewName: $NAME2 echo Anomy-FileScan-NewType: text/replacement echo Anomy-FileScan-NewEnc: quoted-printable echo exit 0 sanitizer-1.76/testcases/simplify.multipart.t0000644000175000017500000000716207314070145017607 0ustar agiagi#!/bin/sh [ "$1" = "-h" ] && cat <test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: moo To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" This is MIME preamble. Blah blah! Blah! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/ms-tnef; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Here comes=20a=20word=20with=20no=20spaces! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt" Content-Transfer-Encoding: 8bit this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- This is MIME postamble! Is that a word? EOF echo "*** Exit code was $? ***" >>test.out $ANOMY/bin/simplify.pl "testing=yes" "temp=./.tmp" \ "url=http://blah/" "header=HEADER2" <>test.log >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: moo To: fake@example.com This is a plain text message, old old style! Blah blah! EOF echo "*** Exit code was $? ***" >>test.out $ANOMY/bin/simplify.pl "testing=yes" "temp=./.tmp" "url=http://blah/" "header=HEADER2" <>test.log >>test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: moo To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" This is MIME preamble. Blah blah! Blah! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: 8bit this is an HTML part --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Here comes=20a=20word=20with=20no=20spaces! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt" Content-Transfer-Encoding: 8bit this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- This is MIME postamble! Is that a word? EOF echo "*** Exit code was $? ***" >>test.out rm -rf .tmp exit 0 sanitizer-1.76/testcases/mime.types0000644000175000017500000000002607674104032015555 0ustar agiagiapplication/pdf pdf sanitizer-1.76/testcases/results.def/0000755000175000017500000000000010357724607016010 5ustar agiagisanitizer-1.76/testcases/results.def/sanitizer.appledouble.ok0000644000175000017500000000617610046711770022650 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case with a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long harmless subject. Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: multipart/appledouble; x-mac-creator="5068466C"; x-mac-type="4A504547"; boundary="=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU" Content-Disposition: attachment; filename="20802160428.jpg" --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/applefile; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; Content-Transfer-Encoding: base64 AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4/ 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I lvskBb+HkHqDj6/SvQxHBORV429jy+jkv1a/A8yPFmaRd5VOb1S/Sx6yn7y2NzA8 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB rqtM1qPXiLOeOK01DbtRh8kdw/8Ad54Rz2/hPT5cAH85zrgKvgouvgZOpFbxfxL0 6P8AB+p9hkvGOHxVRUcVHkk+v2X/AJFlpRHFvXBPaqUtw86hpOccdO1KztEWikR4 --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/octet-stream; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; filename="20802160428.jpg" Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEASABIAAD//gAsQ29tcHJlc3Npb24gYnkgU3Rvcm0gVGVj aG5vbG9neagsIEluYy42Nk5x/+4ADkFkb2JlAGWAAAAAAf/tABBTdG9ybQABAAEB AEgASP/bAIQABQMEBAQDBQQEBAYFBQYIDQgIBwcIEAsMCQ0TERQUExESEhUYHhoV Fh0XEhIaJBsdHyAiIiIUGSUoJSEoHiEiIQEFBgYIBwgPCAgPIRYSFiEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh/8AAEQgB 4AJzAwEiAAIRAQMRAf/EAaIAAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKCxAA AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAk M2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlq c3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6AQADAQEBAQEBAQEBAAAA --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU-- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.bad_html.ok0000644000175000017500000005205210356115301022110 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="html-test.txt" Content-Transfer-Encoding: 8bit ble moo moo baa baa evil hotmail exploit layer! does the ilayer tag exist?

DEFANGED_&{[code]};

test test test test test test test test test test test test test test test test test test test test test blah blah

--=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Note: Scripting languages, embedded objects and other "advanced" features are the primary security risks in HTML. Rewrote HTML tag: >>_applet blah blah_<< as: >>_DEFANGED_applet blah blah_<< Part (pos="561"): SanitizeFile (filename="html-test.txt, filetype.html", mimetype="text/plain"): Match (names="html-test.txt", rule="2"): Enforced policy: accept Rewrote HTML tag: >>_meta refresh="..."_<< as: >>_meta DEFANGED_refresh="..."_<< Note: Styles and layers give attackers many tools to fool the user and common browsers interpret Javascript code found within style definitions. Rewrote HTML tag: >>_style type=evil blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah on multiple lines, blah blah blah blah._<< as: >>_DEFANGED_style type=evil blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah on multiple lines, blah blah blah blah._<< Rewrote HTML tag: >>_/style_<< as: >>_/DEFANGED_style_<< Note: Scripting languages, embedded objects and other "advanced" features are the primary security risks in HTML. Rewrote HTML tag: >>_applet_<< as: >>_DEFANGED_applet_<< Rewrote HTML tag: >>_/applet_<< as: >>_/DEFANGED_applet_<< Rewrote HTML tag: >>_script language="javascript"_<< as: >>_DEFANGED_script language="javascript"_<< Rewrote HTML tag: >>_/script_<< as: >>_/DEFANGED_script_<< Rewrote HTML tag: >>_object_<< as: >>_DEFANGED_object_<< Rewrote HTML tag: >>_/object_<< as: >>_/DEFANGED_object_<< Rewrote HTML tag: >>_embed_<< as: >>_DEFANGED_embed_<< Rewrote HTML tag: >>_/embed_<< as: >>_/DEFANGED_embed_<< Rewrote HTML tag: >>_layer_<< as: >>_DEFANGED_layer_<< Rewrote HTML tag: >>_/layer_<< as: >>_/DEFANGED_layer_<< Rewrote HTML tag: >>_ilayer_<< as: >>_DEFANGED_ilayer_<< Rewrote HTML tag: >>_/ilayer_<< as: >>_/DEFANGED_ilayer_<< Rewrote HTML tag: >>_p style="evil"_<< as: >>_p DEFANGED_style="evil"_<< Note: Forms invoke complex, interactive elements of the operating system which may be buggy. In addition, carefully crafted forms can be used to trick the user into performing attacks on his own network (thus avoiding firewalls). Rewrote HTML tag: >>_form action="do something really evil" method="post"_<< as: >>_DEFANGED_form action="do something really evil" method="post"_<< Rewrote HTML tag: >>_img src="mocha:[code]"_<< as: >>_img DEFANGED_src="mocha:[code]"_<< Rewrote HTML tag: >>_img src="blah_" onmouseover="[code]"_<< as: >>_img src="blah_" DEFANGED_onmouseover="[code]"_<< Rewrote HTML tag: >>_link rel=blablah_<< as: >>_link DEFANGED_rel="blablah"_<< Rewrote HTML tag: >>_div_<< as: >>_p__DEFANGED_div_<< Rewrote HTML tag: >>_a href="bleh" onAbort="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onAbort="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onBlur="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onBlur="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onChange="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onChange="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onClick="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onClick="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onDblClick="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onDblClick="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onDragDrop="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onDragDrop="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onError="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onError="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onFocus="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onFocus="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyDown="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyDown="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyPress="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyPress="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyUp="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyUp="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseDown="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseDown="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseMove="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseMove="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseOut="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseOut="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseUp="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseUp="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMove="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMove="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onReset="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onReset="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onResize="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onResize="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onSelect="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onSelect="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onSubmit="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onSubmit="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onUnload="zorro%20"_<< as: >>_a href="bleh" DEFANGED_onUnload="zorro%20"_<< Rewrote HTML tag: >>_a href="javascript:DoSomething(blah)"_<< as: >>_a DEFANGED_href="javascript:DoSomething(blah)"_<< Rewrote HTML tag: >>_/div_<< as: >>_/p__DEFANGED_div_<< Total modifications so far: 45 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="html-test.txt" Content-Transfer-Encoding: 8bit ble moo moo baa baa evil hotmail exploit layer! does the ilayer tag exist?

DEFANGED_&{[code]};

test test test test test test test test test test test test test test test test test test test test test blah blah

--=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Note: Scripting languages, embedded objects and other "advanced" features are the primary security risks in HTML. Rewrote HTML tag: >>_applet blah blah_<< as: >>_DEFANGED_applet blah blah_<< Part (pos="561"): SanitizeFile (filename="html-test.txt, filetype.html", mimetype="text/plain"): Match (names="html-test.txt", rule="2"): Enforced policy: accept Rewrote HTML tag: >>_meta refresh="..."_<< as: >>_meta DEFANGED_refresh="..."_<< Note: Styles and layers give attackers many tools to fool the user and common browsers interpret Javascript code found within style definitions. Rewrote HTML tag: >>_style type=evil blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah on multiple lines, blah blah blah blah._<< as: >>_DEFANGED_style type=evil blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah blah on multiple lines, blah blah blah blah._<< Rewrote HTML tag: >>_/style_<< as: >>_/DEFANGED_style_<< Note: Scripting languages, embedded objects and other "advanced" features are the primary security risks in HTML. Rewrote HTML tag: >>_applet_<< as: >>_DEFANGED_applet_<< Rewrote HTML tag: >>_/applet_<< as: >>_/DEFANGED_applet_<< Rewrote HTML tag: >>_script language="javascript"_<< as: >>_DEFANGED_script language="javascript"_<< Rewrote HTML tag: >>_/script_<< as: >>_/DEFANGED_script_<< Rewrote HTML tag: >>_object_<< as: >>_DEFANGED_object_<< Rewrote HTML tag: >>_/object_<< as: >>_/DEFANGED_object_<< Rewrote HTML tag: >>_embed_<< as: >>_DEFANGED_embed_<< Rewrote HTML tag: >>_/embed_<< as: >>_/DEFANGED_embed_<< Rewrote HTML tag: >>_layer_<< as: >>_DEFANGED_layer_<< Rewrote HTML tag: >>_/layer_<< as: >>_/DEFANGED_layer_<< Rewrote HTML tag: >>_ilayer_<< as: >>_DEFANGED_ilayer_<< Rewrote HTML tag: >>_/ilayer_<< as: >>_/DEFANGED_ilayer_<< Rewrote HTML tag: >>_p style="evil"_<< as: >>_p DEFANGED_style="evil"_<< Note: Forms invoke complex, interactive elements of the operating system which may be buggy. In addition, carefully crafted forms can be used to trick the user into performing attacks on his own network (thus avoiding firewalls). Rewrote HTML tag: >>_form action="do something really evil" method="post"_<< as: >>_DEFANGED_form action="do something really evil" method="post"_<< Rewrote HTML tag: >>_img src="http://some.evil.bug.host/"_<< as: >>_img DEFANGED_src="http://some.evil.bug.host/"_<< Rewrote HTML tag: >>_img dynsrc="http://some.evil.bug.host/"_<< as: >>_img DEFANGED_dynsrc="http://some.evil.bug.host/"_<< Rewrote HTML tag: >>_img src="mocha:[code]"_<< as: >>_img DEFANGED_src="mocha:[code]"_<< Rewrote HTML tag: >>_img src="blah_" onmouseover="[code]"_<< as: >>_img src="blah_" DEFANGED_onmouseover="[code]"_<< Rewrote HTML tag: >>_link rel=blablah_<< as: >>_link DEFANGED_rel="blablah"_<< Rewrote HTML tag: >>_div_<< as: >>_p__DEFANGED_div_<< Rewrote HTML tag: >>_a href="bleh" onAbort="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onAbort="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onBlur="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onBlur="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onChange="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onChange="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onClick="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onClick="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onDblClick="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onDblClick="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onDragDrop="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onDragDrop="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onError="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onError="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onFocus="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onFocus="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyDown="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyDown="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyPress="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyPress="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onKeyUp="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onKeyUp="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseDown="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseDown="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseMove="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseMove="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseOut="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseOut="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMouseUp="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMouseUp="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onMove="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onMove="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onReset="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onReset="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onResize="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onResize="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onSelect="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onSelect="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onSubmit="goobygooby"_<< as: >>_a href="bleh" DEFANGED_onSubmit="goobygooby"_<< Rewrote HTML tag: >>_a href="bleh" onUnload="zorro%20"_<< as: >>_a href="bleh" DEFANGED_onUnload="zorro%20"_<< Rewrote HTML tag: >>_a href="javascript:DoSomething(blah)"_<< as: >>_a DEFANGED_href="javascript:DoSomething(blah)"_<< Rewrote HTML tag: >>_/div_<< as: >>_/p__DEFANGED_div_<< Total modifications so far: 47 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- sanitizer-1.76/testcases/results.def/sanitizer.base64.ok0000644000175000017500000010565210046711771021440 0ustar agiagiSetting feat_log_inline = 0 From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: application/DEFANGED-99; x-mac-creator=5068466C; x-mac-type=4A504547 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="evil_exe.DEFANGED-99" DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 ///BASE64/// Total base64 encoded data: 141 141 10233 *** Exit code was 0 *** Setting feat_log_inline = 1 From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: application/DEFANGED-99; x-mac-creator=5068466C; x-mac-type=4A504547 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="evil_exe.DEFANGED-99" DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 ///BASE64/// Total base64 encoded data: 282 282 20466 *** Exit code was 0 *** Setting feat_log_inline = 2 From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Test_Wrapper_Boundary" Content-Transfer-Encoding: 8bit --Test_Wrapper_Boundary Content-Type: application/DEFANGED-99; x-mac-creator=5068466C; x-mac-type=4A504547 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="evil_exe.DEFANGED-99" DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 DQoNCg0KAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA//BASE64 AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw//BASE64 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO//BASE64 Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6//BASE64 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P//BASE64 awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E//BASE64 p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4///BASE64 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k//BASE64 Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I//BASE64 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB//BASE64 ///BASE64/// --Test_Wrapper_Boundary Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Using xxx@example.com as reply-to address. Using as errors address. Got MIME info: _boundpre="--", _disposition="attachment", _encoding="base64", _type="application/applefile", boundary="", charset="iso-8859-1", filename="evil.exe", x-mac-creator="5068466C", x-mac-type="4A504547" Finished parsing message header. Forcing message to be multipart/mixed, to facilitate logging. Parsing body as application/applefile WrapWithMultipart Writer (pos="628"): Set MIME info to: _boundpre="--", _encoding="8bit", _type="multipart/mixed", _version="1.0", boundary="Test_Wrapper_Boundary" CleanMultipart ParserUnclosedMultipart Part (pos="652"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="base64", _type="application/applefile", boundary="", charset="iso-8859-1", filename="evil.exe", x-mac-creator="5068466C", x-mac-type="4A504547" Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="evil.exe", mimetype="application/applefile"): Rule 1: .exe$ Match (names="evil.exe", rule="1"): Saved attachment as /tmp/att-evil.exe (7569 bytes, digest 28a63ac373153f5bba3586a9376569931eb3ec71d8bfa12c7963f0b63ae55f06). ScanFile (file="/tmp/att-evil.exe"): /bin/false Scan cmd: /bin/false File was infected, but the virus checker fixed it. Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-99 Replaced file name with: evil_exe.DEFANGED-99 Writer (pos="7742"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="base64", _id="", _type="application/DEFANGED-99", boundary="", charset="iso-8859-1", filename="evil_exe.DEFANGED-99", name="evil_exe.DEFANGED-99", x-mac-creator="5068466C", x-mac-type="4A504547" ParserCat Total modifications so far: 1 --Test_Wrapper_Boundary-- Total base64 encoded data: 423 423 30699 *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.boundary.ok0000644000175000017500000001067010046711771022172 0ustar agiagiFrom bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin Con(FOO)tent-Type: MULT(comment)I(c2)PA(c3)RT/ALTERNATIVE; boundary=Boundary_(THIS_DOESNT_GET_DROPPED) X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary="MIMEStream=_+testing99" Content-Transfer-Encoding: 8bit --MIMEStream=_+testing99 Content-Type: application/DEFANGED-101; format=flowed; charset="us-ascii" Content-Disposition: attachment; name="evil file_exe.DEFANGED-101" Part one --MIMEStream=_+testing99 Content-type: text/plain; charset=us-ascii Part two -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Detected obfuscated content-type header: con(foo)tent-type Replaced MIME boundary: >>Boundary_<< with: >>MIMEStream=_+testing99<< Fixed invalid/unusable part encoding. Part (pos="357"): SanitizeFile (filename="evil file.exe", mimetype="text/plain"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-101 Replaced file name with: evil file_exe.DEFANGED-101 Part (pos="521"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Total modifications so far: 3 --MIMEStream=_+testing99-- *** Exit code was 0 *** From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary="MIMEStream=_+testing99" Content-Transfer-Encoding: 8bit --MIMEStream=_+testing99 Content-Type: application/DEFANGED-100; format=flowed; charset="us-ascii" Content-Disposition: attachment; name="evil file_exe.DEFANGED-100" Part one --MIMEStream=_+testing99 Content-type: text/plain; charset=us-ascii Part two -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Replaced MIME boundary: >>Boundary<< with: >>MIMEStream=_+testing99<< Part (pos="289"): SanitizeFile (filename="evil file.exe", mimetype="text/plain"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-100 Replaced file name with: evil file_exe.DEFANGED-100 Part (pos="420"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Total modifications so far: 2 --MIMEStream=_+testing99-- *** Exit code was 0 *** From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Admin Subject: Yet another MIME test To: Admin X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=Boundary Content-Transfer-Encoding: 8bit -------------------------------------------- This is crap -------------------------------------------- --NotABoundary --ReallyAFakeBoundary --Boundary Content-Type: application/DEFANGED-100; format=flowed; charset="us-ascii" Content-Disposition: attachment; name="evil_exe.DEFANGED-100" Part one --Boundary Content-type: text/plain; charset=us-ascii Part two -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): MIME boundary missing, guessed: >>Boundary<< Part (pos="395"): SanitizeFile (filename="evil.exe", mimetype="text/plain"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-100 Replaced file name with: evil_exe.DEFANGED-100 Part (pos="523"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Total modifications so far: 2 --Boundary-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.defaults.ok0000644000175000017500000001763310046711771022164 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: DEFANGED[99] very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-101; charset=evil Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/x-snort-snort_garbage; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is an unnamed file, which should be left alone --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="=?iso-8859-1?Q?aaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7=E1=E9=ED=F3=FA=FD=E1=E9=ED.vbs.txt?=" this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-104; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-104" Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-105; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-105" Blacklisted by policy 1. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-106; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="seven_scr.DEFANGED-106" Blacklisted by policy 7. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/something_quite_invalid Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="nine.txt" Whitelisted by policy 9. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="eleven.zip" Content-Transfer-Encoding: 8bit Whitelisted by policy 11. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="thirteen.ppt" Content-Transfer-Encoding: 8bit Whitelisted by policy 13. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="fifteen.3ds" Content-Transfer-Encoding: 8bit Whitelisted by policy 15. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-108; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="mismatch_3ds.DEFANGED-108" MIME-type/filename mismatch, blocked by generic rule. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-109; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-109" RFC2231 i18n-encoded blacklisted attachment name. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Truncated long subject line: >>=?ISO-8859-1?Q?this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_this_is_a_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_very_long_subject_which_looks_a_bit_like_a_file_name.txt_with_more_than_one_extension.exe?=<< MIME boundary missing, guessed: >>=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV<< Writer (pos="807"): Total modifications so far: 11 Part (pos="846"): SanitizeFile (filename="winmail.dat", mimetype="application/ms-tnef"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-101 Replaced file name with: winmail_dat.DEFANGED-101 Part (pos="1027"): SanitizeFile (filename="unnamed.txt", mimetype="application/x-snort-snort garbage"): Match (names="unnamed.txt", rule="9"): Enforced policy: accept Rewrote MIME field _type as >>application/x-snort-snort_garbage<< (was >>application/x-snort-snort garbage<<) Part (pos="1254"): SanitizeFile (filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7áéíóúýáéí.vbs.txt", mimetype="text/plain"): Match (names="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7áéíóúýáéí.vbs.txt", rule="9"): Enforced policy: accept Replaced file name with: aaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa5aaaaaaaaa6aaaaaaaaa7áéíóúýáéí.vbs.txt Part (pos="1607"): SanitizeFile (filename="wtc.exe", mimetype="text/plain"): Match (names="wtc.exe", rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-104 Replaced file name with: BLACKLISTED.DEFANGED-104 Part (pos="1804"): SanitizeFile (filename="one.jpeg.exe", mimetype="text/plain"): Match (names="one.jpeg.exe", rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-105 Replaced file name with: BLACKLISTED.DEFANGED-105 Part (pos="2006"): SanitizeFile (filename="seven.scr", mimetype="text/plain"): Match (names="seven.scr", rule="7"): Enforced policy: defang Replaced mime type with: application/DEFANGED-106 Replaced file name with: seven_scr.DEFANGED-106 Part (pos="2205"): SanitizeFile (filename="nine.txt", mimetype="text/something quite invalid"): Match (names="nine.txt", rule="9"): Enforced policy: accept Rewrote MIME field _type as >>text/something_quite_invalid<< (was >>text/something quite invalid<<) Part (pos="2399"): SanitizeFile (filename="eleven.zip", mimetype="text/plain"): Match (names="eleven.zip", rule="11"): Enforced policy: accept Part (pos="2600"): SanitizeFile (filename="thirteen.ppt", mimetype="text/plain"): Match (names="thirteen.ppt", rule="5"): ScanFile (file="/tmp/att-ABC-thirteen.ppt"): MacroScan (): Attachment passed macro scan with a score of 0. Scan succeeded, file is clean. Enforced policy: unknown Match (names="thirteen.ppt", rule="13"): Enforced policy: accept Part (pos="2803"): SanitizeFile (filename="fifteen.3ds", mimetype="text/plain"): Match (names="fifteen.3ds", rule="15"): Enforced policy: accept Part (pos="3005"): SanitizeFile (filename="mismatch.3ds", mimetype="audio/x-wav"): Match (names="mismatch.3ds", rule="15"): Enforced policy: accept File name doesn't match MIME type, defanging. Replaced mime type with: application/DEFANGED-108 Replaced file name with: mismatch_3ds.DEFANGED-108 Part (pos="3237"): SanitizeFile (filename="iso-8859-1''wtc%2eexe, wtc.exe", mimetype="audio/x-wav"): Match (names="wtc.exe", rule="1"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-109 Replaced file name with: BLACKLISTED.DEFANGED-109 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.exchange.ok0000644000175000017500000000363710046711772022137 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: multipart/mixed; boundary="MIMEStream=_+testing100" --MIMEStream=_+testing100 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: attachment; Content-Transfer-Encoding: 8bit bleh! --MIMEStream=_+testing100-- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="574"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Dropped empty MIME field: charset Part (pos="694"): Replaced MIME boundary: >><< with: >>MIMEStream=_+testing100<< Part (pos="48"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Total modifications so far: 2 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- sanitizer-1.76/testcases/results.def/sanitizer.filenames.ok0000644000175000017500000003040610356254442022312 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: DEFANGED[99] very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-100.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; name="DEFANGED-100.txt" **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: winmail.dat (evaluated as winmail.dat) It might be a good idea to contact the sender and warn them that their system is infected. **** --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-101; charset="iso-8859-1"; name="=?iso-8859-1?Q?yell=F3w=5Ftxt.DEFANGED-101?=" Content-Transfer-Encoding: 8bit Content-Disposition: attachment this is an unnamed file, which should be treated as if it were yellow --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-102; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa_vbs_txt.DEFANGED-102" this is also a very evil file. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. The file has been quarantined on the mail server, with the following file name: .tmp.GHI The removed attachment's original name was: red.txt (evaluated as red.txt) It is recommended that you contact your system administrator if you need access to the file. It might also be a good idea to contact the sender, and warn them that their system may be infected. **** --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000104; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-1000104" this file is pretty yucky --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000105; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="=?iso-8859-1?Q?yell=F3w=5Ftxt.DEFANGED-1000105?=" this file is somewhat suspicious --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Disposition: attachment; filename="green.txt" Content-Transfer-Encoding: 8bit this file is nice --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="strange.txt" this file is strange --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-1000107; charset="iso-8859-1" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="scan me silly_txt.DEFANGED-1000107" L2Jpbi9mYWxzZSBtZSE= --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-2000108; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="scan me happy_txt.DEFANGED-2000108" Yeah baby. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/replacement; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="replace_me.REPLACEMENT.txt" This is a simple replacement file. Oogabooga. This should get encoded: =DE=E6=F6=F0! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-3000110; charset="iso-8859-1"; name="fee_boo.DEFANGED-3000110"; filename="fee_boo.DEFANGED-3000110" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="fee_boo.DEFANGED-3000110"; name="fee_boo.DEFANGED-3000110" Content-Description: Renamed from 'fee.boo' to 'fee_boo.DEFANGED-3000110' Content-ID: This file should get renamed, and since it has two name/filename attributes, both should get modified. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Truncated long subject line: >>this is a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long subject which looks a bit like a file name.txt with more than one extension.exe<< Writer (pos="1098"): Total modifications so far: 12 Part (pos="1137"): SanitizeFile (filename="winmail.dat", mimetype="application/ms-tnef"): No attachment name found, using default (winmail.dat). Match (names="winmail.dat", rule="6"): Enforced policy: drop Replaced mime type with: text/plain Replaced file name with: DEFANGED-100.txt Part (pos="1318"): SanitizeFile (filename="yellów.txt", mimetype="application/x-snort-snort"): No attachment name found, using default (yellów.txt). Match (names="yellów.txt", rule="1"): ScanFile (file="./.tmp.ABC"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="yellów.txt", rule="10"): Enforced policy: unknown Match (names="yellów.txt", rule="4"): Enforced policy: defang Replaced mime type with: application/DEFANGED-101 Replaced file name with: yellów_txt.DEFANGED-101 Part (pos="1555"): SanitizeFile (filename="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt", mimetype="text/plain"): Match (names="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt", rule="1"): ScanFile (file="./.tmp.DEF"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt", rule="10"): Enforced policy: unknown Match (names="aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt", rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-102 Replaced file name with: 2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa_vbs_txt.DEFANGED-102 Part (pos="1848"): SanitizeFile (filename="red.txt", mimetype="text/plain"): Match (names="red.txt", rule="1"): ScanFile (file="./.tmp.GHI"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="red.txt", rule="10"): Enforced policy: unknown Match (names="red.txt", rule="2"): Enforced policy: save Replaced file name with: DEFANGED-1000103.txt Part (pos="2045"): SanitizeFile (filename="orange.txt", mimetype="text/plain"): Match (names="orange.txt", rule="1"): ScanFile (file="./.tmp.JKL"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="orange.txt", rule="10"): Enforced policy: unknown Match (names="orange.txt", rule="3"): Enforced policy: mangle Replaced mime type with: application/DEFANGED-1000104 Replaced file name with: BLACKLISTED.DEFANGED-1000104 Part (pos="2246"): SanitizeFile (filename="yellów.txt", mimetype="text/plain"): Match (names="yellów.txt", rule="1"): ScanFile (file="./.tmp.MNO"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="yellów.txt", rule="10"): Enforced policy: unknown Match (names="yellów.txt", rule="4"): Enforced policy: defang Replaced mime type with: application/DEFANGED-1000105 Replaced file name with: yellów_txt.DEFANGED-1000105 Part (pos="2454"): SanitizeFile (filename="green.txt", mimetype="text/plain"): Match (names="green.txt", rule="1"): ScanFile (file="./.tmp.PQR"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="green.txt", rule="10"): Enforced policy: unknown Match (names="green.txt", rule="5"): Enforced policy: accept Part (pos="2646"): SanitizeFile (filename="strange.txt", mimetype="text/plain"): Match (names="strange.txt", rule="1"): ScanFile (file="./.tmp.STU"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="strange.txt", rule="10"): Enforced policy: unknown Match (names="strange.txt", rule="7"): Enforced policy: warn Match (names="strange.txt", rule="8"): Enforced policy: accept Part (pos="2843"): SanitizeFile (filename="scan me silly.txt", mimetype="text/plain"): Match (names="scan me silly.txt", rule="1"): ScanFile (file="./.tmp.VWX"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="scan me silly.txt", rule="10"): Enforced policy: unknown Match (names="scan me silly.txt", rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-1000107 Replaced file name with: scan me silly_txt.DEFANGED-1000107 Part (pos="3048"): SanitizeFile (filename="scan me happy.txt", mimetype="text/plain"): Match (names="scan me happy.txt", rule="1"): ScanFile (file="./.tmp.YZ0"): File was infected, the virus checker couldn't fix it. Enforced policy: unknown Match (names="scan me happy.txt", rule="10"): Enforced policy: unknown Match (names="scan me happy.txt", rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-2000108 Replaced file name with: scan me happy_txt.DEFANGED-2000108 Part (pos="3241"): SanitizeFile (filename="replace.me", mimetype="text/plain"): Match (names="replace.me", rule="9"): Enforced policy: unknown Match (names="replace.me", rule="11"): ScanFile (file="./.tmp.123"): Scan succeeded, file is clean. Enforced policy: accept Replaced mime type with: text/replacement Replaced file name with: replace_me.REPLACEMENT.txt Part (pos="3427"): SanitizeFile (filename="fee.boo, other.name.boo, rah.boo, some.other.name.blrg, Some fake filename .boo, Alphabet.blrg", mimetype="text/plain"): Match (names="fee.boo, other.name.boo, rah.boo, some.other.name.blrg, Some fake filename .boo, Alphabet.blrg", rule="9"): Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-3000110 Replaced file name with: fee_boo.DEFANGED-3000110 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 1 *** ./.tmp.123 ./.tmp.GHI sanitizer-1.76/testcases/results.def/sanitizer.force_hdr.ok0000644000175000017500000000217310046711772022302 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Subject: my default subject X-My-Thing: yeah yeah Sender: xxx@example.com To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" This is a test with neither a MIME-Version: header nor a Content-Type. -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Added default value (1.0) for header MIME-Version Added default value (text/plain; charset="%DEF_CHARSET") for header Content-Type SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept sanitizer-1.76/testcases/results.def/sanitizer.forwarded.ok0000644000175000017500000002410110356115303022307 0ustar agiagiFrom dood@xyz Mon Dec 11 18:30:26 2000 Return-Path: From: dood@xyz Received: from localhost by localhost with POP3 (fetchmail-5.0.0) for bre@localhost (single-drop); Mon, 11 Dec 2000 18:30:05 +0000 (GMT) Subject: Grf, argh. To: dood@zyx X-Mailer: Lotus Notes Release 5.0.3 (Intl) 21 March 2000 Message-ID: Date: Thu, 7 Dec 2000 08:47:14 +0000 X-MIMETrack: Serialize by Router on Spacekow/K0W/IS(Release 5.0.3 (Intl)|21 March 2000) at 07.12.2000 08:47:20 MIME-Version: 1.0 Content-type: multipart/mixed; Boundary="0__=002569AE003040198f9e8a93df938690918c002569AE00304019" Content-Disposition: inline X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable ----- Forwarded by dood H. Kristinsson/LMI/IS on 07.12.2000 08:47 ----- = =20 Dood D. = =0A Doodsson To: Grumbleb= utt=0A 28.11.2000 cc: = =0A 14:08 Subject:= Grf, ARGH =0A = =0A = = =0A=0A= This is quote-printable text. - ----- Forwarded by Dood D. Doodsson/K0W/IS on 28.11.2000 13:31 ----- = =20 John Perry = =0A Buzzard To: Dood D.= Doodsson/K0W/IS@KOW =0A = cc: =0A 2= 8.11.2000 Subject: :)))))))))))))) =0A = 13:29 = =0A = =0A = =0A=0A= (See attached file: Munchbug.fh7)(See attached file: Munchbug.jpg)(See attached file: Munchbug.tif) --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-Type: application/DEFANGED-99; name="Munchbug_fh7.DEFANGED-99" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Munchbug_fh7.DEFANGED-99" QUdEMr64u80AANC5AAIABVRpbWVzAAAAAAgAHzE5ODguNzQyNjc1NzgxMiAxOTkwLjkwNTUxNzU3 ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ODEAAAUAEUxhc3REb2NWaWV3Q2VudGVyAAAAAAQADDAuNTQ1MzE4NjAzNQAAAAAABQAQTGFzdERv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABQUlZXQUdEMgAA 1bw= --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: image/jpeg; name="=?iso-8859-1?Q?Munchbug.jpg?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Munchbug.jpg?=" Content-transfer-encoding: base64 Content-Description: JPEG File Interchange /9j/4AAQSkZJRgABAQAAAQABA//////DAAgGBgcGBQgHBwcJCQg//QNDAsL/DBkSEw8UHRofHh0a HBwgJCtwoAnDsIxpeDcpLDAxNDQ0Hyc5PTgyPC4zNDL/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIy MjIy/////////////jIKKyMjIyMjIyMjIjIyMjIyMjIyMjIyMjIyMjIyMjL/wAARCAEQAVQDASIA AhEBAxEB/8QAHwAAAQUBAQEBBJARNIAQEAAAAAECAwQFBgcICQoL/8QAtRAAAgEDAwIEAwUFBAQA AAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEI///xwRVS0fAkM2JyggkKFhcYGRolJicoKSo0NTY3 ODk6Q0RFRkdISUpTVFVVhkZWZnaGiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKAC iiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKK KKACiiigAoOo0AKKKKACiiigAoOo0AKLLKKKACiiigAoooKKKKACiiigAoOo0AKKKKACiiigAooo oAKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiigAoOo0AKKKKACiiig AoOo0A//2Q== --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: image/tiff; name="=?iso-8859-1?Q?Munchbug.tif?=" Content-Disposition: attachment; filename="=?iso-8859-1?Q?Munchbug.tif?=" Content-transfer-encoding: base64 Content-Description: Tagged Image File Format TU0AKgAEO8j///////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// ///////////////////////////////A//////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// AAK9SAAC3SgAAv0IAAMc6AADPMgAA1yoAAN8iAADnGgAA7xIAAPcKAAD/AgABBvoAAAf4AAAH+AA //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// AB/gAAAf4AAAH+AAAB/gAAAf4AAAH+AAAB/gAAAA4AAAH+AAAB/gAAAf4AAAH+AAAB/gAAAf4AAA //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// H+AAAB/gAABf4AAAH+AAAB/gBAAf4ACAH+AAAB/gADAf4ABAH+AAAB/gAAAf4AAAH+AAAB/gAAAf 4AAAH+AAAB/gABAf4BIAAAAAIAAAEgADAAAgAAA= --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: quoted-printable ---- Forwarded message from Bjarni. R. Einarsson ----- To: Bjarni=0AFrom: Logi Ragnarsson=0ASubject: Jolaflug=0AMime-Version: 1.0= =0AContent-Type: multipart/mixed; boundary=3D"45Z9DzgjV8m4Oswq"=0AContent-Di= sposition: inline=0A=0A= =0A= - --45Z9DzgjV8m4Oswq=0A= Content-Type: text/plain; charset=3Dus-ascii=0AContent-Disposition: inline= =0A=0A= Splat - --45Z9DzgjV8m4Oswq=0A= Content-Type: application/DEFANGED-100=0AContent-Transfer-Encoding: base64= =0AContent-Disposition: attachment; filename=3D"jolaflug_jpg_unk.DEFANGED-10= 0"=0A=0A= X9j/4AAQSkZJRgABAQEBLAEsAAD/2wBDABALDA4MChAODQ4SERATGCgaGBYWGDEjJR0oOjM9=0A= PDkzODdASFxOQERXRTc4UG1RV19iZ2hnPk1xeXBkeFxlZ2P/2wBDARESEhgVGC8aGi9jQjhC=0A= Y2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2NjY2P/wAAR=0A= CAGwAkADASIAAhEBAxEB/8QAHwAAAQUBAQEBAQEAAAAAAAAAAAECAwQFBgcICQoL/8QAtRAA=0A= zK8SnqACKzdao/dkdFShh4w5qbbY+6WJ1Bm25UYBY9Ky5jGrfIykexqWa1toOzzP6k4FV2Xc=0A= 2dqr7CqiuxxuwwyrTTKewp/lAU4RqO1WIgLv2pQsjnAzT2D7/lAxUoYK2RRYLk9vpxZAZZNv=0A= sBzT7iwjjhd1dyVGecU5b+NUAwxNQz35lRkCABhjk5qUpD0KR5ptPpp4NXJCixKDRR2qDQaK=0A= U0lONAhvanwkCVc9CcH8ab3pD3pgSPGYpCjfh70lT3H7yGOcdhg/5/OpYYOMsM0RlpqTJalT=0A= HPSlEbnojH8K0VIAwsQH0FSI3OCPzo5xWMsQyf3CPwqRbVz1KitPIPYfnTeeccZqedhY=0A=0A= - --45Z9DzgjV8m4Oswq-- ---- End forwarded message ---- I'm a spooky space guy. Boo. Boooo. --0__=002569AE003040198f9e8a93df938690918c002569AE00304019 Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="716"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="259"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="731"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="2562"): SanitizeFile (filename="=?iso-8859-1?Q?Munchbug.fh7?=, Munchbug.fh7", mimetype="application/octet-stream"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-99 Replaced file name with: Munchbug_fh7.DEFANGED-99 Part (pos="3739"): SanitizeFile (filename="=?iso-8859-1?Q?Munchbug.jpg?=, Munchbug.jpg, filetype.jpeg", mimetype="image/jpeg"): Match (names="Munchbug.jpg, filetype.jpeg", rule="2"): Enforced policy: accept Part (pos="4722"): SanitizeFile (filename="=?iso-8859-1?Q?Munchbug.tif?=, Munchbug.tif, filetype.tiff", mimetype="image/tiff"): Match (names="Munchbug.tif, filetype.tiff", rule="2"): Enforced policy: accept Part (pos="6352"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="146"): Part (pos="184"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="288"): SanitizeFile (filename="jolaflug.jpg.unk", mimetype="image/jpeg"): Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-100 Replaced file name with: jolaflug_jpg_unk.DEFANGED-100 Total modifications so far: 2 --0__=002569AE003040198f9e8a93df938690918c002569AE00304019-- sanitizer-1.76/testcases/results.def/sanitizer.logging.ok0000644000175000017500000004305710356115304021774 0ustar agiagi ######### feat_log_inline = 0, feat_log_after = 0 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: Base64 VGhpcyBpcyBhIHRleHQgdGVzdC4gIEhlcmUgY29tZXMgdGhlIGxvZy4uLiBJIGhvcGUu --abcdefg Content-type: text/html; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7bit blah Here comes the log, I hope: --abcdefg-- *** Exit code was 0 *** ######### feat_log_inline = 1, feat_log_after = 0 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: Base64 VGhpcyBpcyBhIHRleHQgdGVzdC4gIEhlcmUgY29tZXMgdGhlIGxvZy4uLiBJIGhvcGUu Ci0tIApUaGlzIG1lc3NhZ2UgaGFzIGJlZW4gJ3Nhbml0aXplZCcuICBUaGlzIG1lYW5z IHRoYXQgcG90ZW50aWFsbHkKZGFuZ2Vyb3VzIGNvbnRlbnQgaGFzIGJlZW4gcmV3cml0 dGVuIG9yIHJlbW92ZWQuICBUaGUgZm9sbG93aW5nCmxvZyBkZXNjcmliZXMgd2hpY2gg YWN0aW9ucyB3ZXJlIHRha2VuLgoKU2FuaXRpemVyIChzdGFydD0iMCIpOgogIFNwbGl0 IHVudXN1YWxseSBsb25nIHdvcmQocykgaW4gaGVhZGVyLgogIEZpeGVkIGludmFsaWQv dW51c2FibGUgcGFydCBlbmNvZGluZy4KICBQYXJ0IChwb3M9IjEzNjEiKToKICAgIFNh bml0aXplRmlsZSAoZmlsZW5hbWU9InVubmFtZWQudHh0IiwgbWltZXR5cGU9InRleHQv cGxhaW4iKToKICAgICAgTWF0Y2ggKG5hbWVzPSJ1bm5hbWVkLnR4dCIsIHJ1bGU9IjIi KToKICAgICAgICBFbmZvcmNlZCBwb2xpY3k6IGFjY2VwdAoKICAgIFRvdGFsIG1vZGlm aWNhdGlvbnMgc28gZmFyOiAyCgoKCg== --abcdefg Content-type: text/html; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7bit blah Here comes the log, I hope:
This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. 


Sanitizer (start="0"):
  Split unusually long word(s) in header.
  Fixed invalid/unusable part encoding.
  Part (pos="1361"):
    SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
      Match (names="unnamed.txt", rule="2"):
        Enforced policy: accept

    Total modifications so far: 2

  Part (pos="1555"):
    SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
      Match (names="unnamed.html, filetype.html", rule="2"):
        Enforced policy: accept

--abcdefg-- *** Exit code was 0 *** ######### feat_log_inline = 2, feat_log_after = 0 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Test_Wrapper_Boundary" Content-Transfer-Encoding: 8bit --Test_Wrapper_Boundary Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: Base64 VGhpcyBpcyBhIHRleHQgdGVzdC4gIEhlcmUgY29tZXMgdGhlIGxvZy4uLiBJIGhvcGUu --abcdefg Content-type: text/html; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7bit blah Here comes the log, I hope: --abcdefg-- --Test_Wrapper_Boundary Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Forcing message to be multipart/mixed, to facilitate logging. Writer (pos="1350"): Split unusually long word(s) in header. Part (pos="1374"): Fixed invalid/unusable part encoding. Part (pos="110"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Part (pos="304"): SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): Match (names="unnamed.html, filetype.html", rule="2"): Enforced policy: accept Total modifications so far: 2 --Test_Wrapper_Boundary-- *** Exit code was 0 *** ######### feat_log_inline = 0, feat_log_after = 50 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Junk: SCRATCH_102 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This is a text test. Here comes the log... I hope. --abcdefg Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-Junk: SCRATCH_103 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX blah Here comes the log, I hope: --abcdefg-- *** Exit code was 0 *** ######### feat_log_inline = 1, feat_log_after = 50 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Junk: SCRATCH_102 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This is a text test. Here comes the log... I hope. -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Split unusually long word(s) in header. Fixed invalid/unusable part encoding. Part (pos="1361"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Fixed invalid/unusable part encoding. Added 50 bytes of scratch space. Total modifications so far: 4 --abcdefg Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-Junk: SCRATCH_103 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX blah Here comes the log, I hope:
This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. 


Sanitizer (start="0"):
  Split unusually long word(s) in header.
  Fixed invalid/unusable part encoding.
  Part (pos="1361"):
    SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
      Match (names="unnamed.txt", rule="2"):
        Enforced policy: accept

    Fixed invalid/unusable part encoding.
    Added 50 bytes of scratch space.
    Total modifications so far: 4

  Part (pos="1555"):
    SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"):
      Match (names="unnamed.html, filetype.html", rule="2"):
        Enforced policy: accept

    Added 50 bytes of scratch space.
    Total modifications so far: 5

--abcdefg-- *** Exit code was 0 *** ######### feat_log_inline = 2, feat_log_after = 50 ########## From bre Fri Jan 30 03:37:34 1998 Date: Wed, 13 Dec 2000 17:13:26 +0800 From: Log test Subject: THIS LONG SUBJECT LINE MAKES THE LOG INTERESTING! -DEFANGED-[99]:YEAHAHAAAAEAHAHAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAA " " -DEFANGED-[99]:AAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHA " " -DEFANGED-[99]:HAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAAAAAAA " " -DEFANGED-[99]:AAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAAAAAAAAAAAAAAAEAHAHAAAA " " AAAAAAAAAAAAAAAAH! To: Log test X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Test_Wrapper_Boundary" Content-Transfer-Encoding: 8bit --Test_Wrapper_Boundary Content-Type: MULTIPART/ALTERNATIVE; boundary=abcdefg Content-Transfer-Encoding: 8bit --abcdefg Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Junk: SCRATCH_102 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This is a text test. Here comes the log... I hope. --abcdefg Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Content-Junk: SCRATCH_103 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX blah Here comes the log, I hope: --abcdefg-- --Test_Wrapper_Boundary Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" Content-Junk: SCRATCH_104 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Forcing message to be multipart/mixed, to facilitate logging. Writer (pos="1350"): Split unusually long word(s) in header. Part (pos="1374"): Fixed invalid/unusable part encoding. Part (pos="110"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Fixed invalid/unusable part encoding. Added 50 bytes of scratch space. Part (pos="304"): SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): Match (names="unnamed.html, filetype.html", rule="2"): Enforced policy: accept Added 50 bytes of scratch space. Total modifications so far: 5 Added 50 bytes of scratch space. --Test_Wrapper_Boundary-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.mime_depth.ok0000644000175000017500000001011310046711773022454 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Subject: Clean multipart/mixed test case with a very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very very long harmless subject. Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" trailing= X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain Content-Transfer-Encoding: 8bit blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-99; x-mac-creator=5068466C; x-mac-type=4A504547 Content-Disposition: attachment; filename="20802160428.jpg" --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/applefile; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; Content-Transfer-Encoding: base64 AAUWBwACAAAAAAAAAAAAAAAAAAAAAAAAAAMAAAAJAAAAPgAAACAAAAADAAAAXgAA AA8AAAACAAAAbQAAH35KUEVHUGhGbAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADIw 6gVnJK8bZBOD1Fak9o9rKxGSuaqTWxYb41+Xvz0rupyja3Q9KlKHLZbD7e5dJVJO Rmumt1V48H5t44Fc1YWMt3KkMalnJ4A/XPpgc57VV17xxJp8b2Xh2aGeVMK2ohC6 qwPIiUjB6ffIOedoGAx9XLeHsZndb2eFVkvik9l/m/JHz+e5nhcugpVZavZLdm/P awabBJJqNxDZQN8yNO2C49VQAsw5/hBrBufE/h6CZmikvrxgcgR26pHJ7h2bcB6E p+FcXNcz3aNPetLJPKctM7bizY6knBJ9c/ypTGiErKoIxjep7/UDmv17A8AZZh4/ 7S5VZetl8kv1bPzPFcaZhOT9ilBfe/x0/A65PGen+VJcHQL5ooSolcXqsqZPBP7k Y/E1s2vjHw9clEM91auy53XFv+7U+mUZmP8A3z+VecpbqxBQfLkEHbnac9+P881I lvskBb+HkHqDj6/SvQxHBORV429jy+jkv1a/A8yPFmaRd5VOb1S/Sx6yn7y2NzA8 dzbk4E0Lh0HTAOPunkcNg89KoSu2RnOK4zT7m5splurKaSGdcBXQkZ56HjkHHIPB rqtM1qPXiLOeOK01DbtRh8kdw/8Ad54Rz2/hPT5cAH85zrgKvgouvgZOpFbxfxL0 6P8AB+p9hkvGOHxVRUcVHkk+v2X/AJFlpRHFvXBPaqUtw86hpOccdO1KztEWikR4 --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU Content-Type: application/octet-stream; x-mac-creator="5068466C"; x-mac-type="4A504547" Content-Disposition: attachment; filename="20802160428.jpg" Content-Transfer-Encoding: base64 /9j/4AAQSkZJRgABAQEASABIAAD//gAsQ29tcHJlc3Npb24gYnkgU3Rvcm0gVGVj aG5vbG9neagsIEluYy42Nk5x/+4ADkFkb2JlAGWAAAAAAf/tABBTdG9ybQABAAEB AEgASP/bAIQABQMEBAQDBQQEBAYFBQYIDQgIBwcIEAsMCQ0TERQUExESEhUYHhoV Fh0XEhIaJBsdHyAiIiIUGSUoJSEoHiEiIQEFBgYIBwgPCAgPIRYSFiEhISEhISEh ISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEhISEh/8AAEQgB 4AJzAwEiAAIRAQMRAf/EAaIAAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKCxAA AgEDAwIEAwUFBAQAAAF9AQIDAAQRBRIhMUEGE1FhByJxFDKBkaEII0KxwRVS0fAk M2JyggkKFhcYGRolJicoKSo0NTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlq c3R1dnd4eXqDhIWGh4iJipKTlJWWl5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXG x8jJytLT1NXW19jZ2uHi4+Tl5ufo6erx8vP09fb3+Pn6AQADAQEBAQEBAQEBAAAA --=ABACAB:=_0005@@P6505M9FyrTJqS3QJpeU-- --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Enforced policy: %name% Exceeded maximum allowed MIME nesting depth. Dropped empty MIME field: %field% Total modifications so far: %total% --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.partial.ok0000644000175000017500000000514110046711774022003 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/DEFANGED-99; id=test; number=1; total=2 Content-Transfer-Encoding: 8bit From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com Content-Type: application/DEFANGED-100 Content-Disposition: attachment; filename="evil_com.DEFANGED-100" Evil dot com! --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="533"): Defanged dangerous message/partial encoding. Part (pos="93"): SanitizeFile (filename="evil.com", mimetype="text/plain"): Match (names="evil.com", rule="7"): Enforced policy: defang Replaced mime type with: application/DEFANGED-100 Replaced file name with: evil_com.DEFANGED-100 Total modifications so far: 2 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: application/DEFANGED-99; id=test; number=2; total=2 Content-Transfer-Encoding: 8bit More evil! sanitizer-1.76/testcases/results.def/sanitizer.pgptext.ok0000644000175000017500000000603110356111156022031 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org hQEOA1USfm+7kflAEAP8DDDl0gai5IiMzT2h8cCDsmdAfuTmOPHmU+Ztfwk4ES5a WBYqnDFmjwRgemo2kHZ6Zzy1va8sUeOg33or9Cnaz78cIuk9dt0rhKZpeXlt80HT QKVJoVqeiSkOfpktRwhH3igJHcjAx5SNFq6BwL6ku/vj2rQHtIe1qBq2t5QWdGUE AJfMg3kNHKIY2ww98sI4NpBIO9HPIOJ5+Yn137PwbIkoomvuxEX7NpUW nusrKdWnrD0dlgfbIt743D/hU38tjv2M1yoLJygA3RjryM4Tp+uzKMVC+9RyoyXE MK9ZBoSihWDuFhWi/2NergXF0cM2zN87vNGhVNP5w1ZchQEOA/W9zIlSOtkfEAP9 =38M2 -----END PGP MESSAGE----- -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="9"): Enforced policy: accept Note: Scripting languages, embedded objects and other "advanced" features are the primary security risks in HTML. Rewrote HTML tag: >>_object_<< as: >>_DEFANGED_object_<< Total modifications so far: 1 *** Exit code was 0 *** From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ WARNING: The following data has NOT been sanitized, to ensure that the signature remains intact, if valid. Please be careful if you open any enclosed attachments. -----BEGIN PGP MESSAGE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org hQEOA1USfm+7kflAEAP8DDDl0gai5IiMzT2h8cCDsmdAfuTmOPHmU+Ztfwk4ES5a WBYqnDFmjwRgemo2kHZ6Zzy1va8sUeOg33or9Cnaz78cIuk9dt0rhKZpeXlt80HT QKVJoVqeiSkOfpktRwhH3igJHcjAx5SNFq6BwL6ku/vj2rQHtIe1qBq2t5QWdGUE AJfMg3kNHKIY2ww98sI4NpBIO9HPIOJ5+Yn137PwbIkoomvuxEX7NpUW nusrKdWnrD0dlgfbIt743D/hU38tjv2M1yoLJygA3RjryM4Tp+uzKMVC+9RyoyXE MK9ZBoSihWDuFhWi/2NergXF0cM2zN87vNGhVNP5w1ZchQEOA/W9zIlSOtkfEAP9 =38M2 -----END PGP MESSAGE----- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.plugin.ok0000644000175000017500000001765010356254445021656 0ustar agiagifeat_boundaries = 0 feat_files = 1 feat_fixmime = 1 feat_force_name = 0 feat_forwards = 1 feat_html = 1 feat_html_noexe = 0 feat_html_paranoid = 0 feat_html_unknown = 0 feat_lengths = 1 feat_log_after = 0 feat_log_inline = 1 feat_log_stderr = 1 feat_log_trace = 0 feat_log_xml = 1 feat_mime_files = 0 feat_newlines = 0 feat_no_partial = 1 feat_paranoid = 0 feat_sane_names = 1 feat_scripts = 1 feat_testing = 1 feat_trust_pgp = 0 feat_uuencoded = 1 feat_verbose = 1 feat_webbugs = 0 file_characters = \ !\#\%\(\)\+,0-9;=\?A-Z\[\]_a-z\{\}\~¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ file_default_filename = unnamed.txt file_default_policy = defang file_list_1 = .* file_list_10 = 0 file_list_10_policy = 0 file_list_10_scanner = 0 file_list_11 = (?i)\.(z(ip|oo)|ar[cj]|lh[az]|[tr]ar|r\d\d|rpm|deb|slp|tgz|cab|iso|cif|uue?|jar)(\.[gb]?z\d?)?\.?$ file_list_11_policy = accept file_list_11_scanner = 0 file_list_12 = 0 file_list_12_policy = 0 file_list_12_scanner = 0 file_list_13 = (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])(\.[gb]?z\d?)?\.?$ file_list_13_policy = accept file_list_13_scanner = 0 file_list_14 = 0 file_list_14_policy = 0 file_list_14_scanner = 0 file_list_15 = (?i)\.(mbx|vcf|p7[sm]|ics|pgp|gpg|asc|3ds|arg|dwg|dxf|dwt|dng|dbf|dcl|lsp|mp[apdwe]|psd|prc|qt|stx|swf)(\.[gb]?z\d?)?\.?$ file_list_15_policy = accept file_list_15_scanner = 0 file_list_1_policy = drop:drop:drop:drop file_list_1_scanner = 0:1:2:builtin/bogus %FILENAME %REPLY_TO %ERRORS_TO %HEADER(subject) file_list_2 = 0 file_list_2_policy = 0 file_list_2_scanner = 0 file_list_3 = 0 file_list_3_policy = 0 file_list_3_scanner = 0 file_list_4 = 0 file_list_4_policy = 0 file_list_4_scanner = 0 file_list_5 = 0 file_list_5_policy = 0 file_list_5_scanner = 0 file_list_6 = 0 file_list_6_policy = 0 file_list_6_scanner = 0 file_list_7 = (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ file_list_7_policy = defang file_list_7_scanner = 0 file_list_8 = 0 file_list_8_policy = 0 file_list_8_scanner = 0 file_list_9 = (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ file_list_9_policy = accept file_list_9_scanner = 0 file_list_rules = 1 file_name_tpl = ./tmp.plugin-test force_header_1 = MIME-Version: 1.0 force_header_10 = 0 force_header_2 = Content-Type: text/plain; charset="%DEF_CHARSET" force_header_3 = Subject: (no subject) force_header_4 = 0 force_header_5 = 0 force_header_6 = 0 force_header_7 = 0 force_header_8 = 0 force_header_9 = 0 force_headers = 0 header_info = X-Sanitizer: This message has been sanitized! header_rev = 0 header_url = X-Sanitizer-URL: http://mailtools.anomy.net/ html_cleaner_body = "tag:div" => "p" html_cleaner_header = html_evil_tags = UNUSED html_javascript = UNUSED max_conf_recursion = 5 max_mime_depth = 20 msg_blacklisted = BLACKLISTED msg_current = Current configuration:\n msg_defanged = DEFANGED msg_file_drop = ****\n msg_file_drop += NOTE: An attachment was deleted from this part of the message,\n msg_file_drop += because it failed one or more checks by the virus scanning system.\n msg_file_drop += See the attached sanitization log for more details or contact your\n msg_file_drop += system administrator.\n msg_file_drop += \n msg_file_drop += The removed attachment's name was:\n msg_file_drop += \n msg_file_drop += \t%FILENAME (evaluated as %CHECKEDNAME)\n msg_file_drop += \n msg_file_drop += It might be a good idea to contact the sender and warn them that\n msg_file_drop += their system is infected.\n msg_file_drop += ****\n msg_file_save = ****\n msg_file_save += NOTE: An attachment was deleted from this part of the message,\n msg_file_save += because it failed one or more checks by the virus scanning system.\n msg_file_save += The file has been quarantined on the mail server, with the following\n msg_file_save += file name:\n msg_file_save += \n msg_file_save += \t%SAVEDNAME\n msg_file_save += \n msg_file_save += The removed attachment's original name was:\n msg_file_save += \n msg_file_save += \t%FILENAME (evaluated as %CHECKEDNAME)\n msg_file_save += \n msg_file_save += It is recommended that you contact your system administrator if you\n msg_file_save += need access to the file. It might also be a good idea to contact the\n msg_file_save += sender, and warn them that their system may be infected.\n msg_file_save += ****\n msg_log_prefix = This message has been 'sanitized'. This means that potentially\n msg_log_prefix += dangerous content has been rewritten or removed. The following\n msg_log_prefix += log describes which actions were taken.\n msg_panic = UNUSED msg_pgp_warning = WARNING: The following data has NOT been sanitized, to ensure\n msg_pgp_warning += \s that the signature remains intact, if valid. Please\n msg_pgp_warning += \s be careful if you open any enclosed attachments.\n msg_pgp_warning += \n msg_signature = foo msg_usage = foo sanitizer_log_disp = attachment; filename="sanitizer.log" sanitizer_log_type = text/sanitizer-log; charset="iso-8859-1" score_bad = 0 score_bad_code = UNUSED score_panic = UNUSED score_panic_code = UNUSED system_io_file = IO::File system_mime_types = /etc/mime.types var_def_charset = iso-8859-1 From xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com To: fake@example.com Subject: Plugin test case. X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: unnamed.txt (evaluated as unnamed.txt) It might be a good idea to contact the sender and warn them that their system is infected. **** -- This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="1"): ScanFile (file="./tmp.plugin-test"): Bogus scan routine invoked, args: 21d8eca957369f7fb1e23c50972dbe46c68bc5c7a74610a3b737d4fdeaed6d25, ./tmp.plugin-test, xxx@example.com, , Plugin test case. File was infected, the virus checker couldn't fix it. Enforced policy: drop Replaced file name with: DEFANGED-99.txt Total modifications so far: 1 *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rev1_58.ok0000644000175000017500000001354610356254445021551 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/html; charset="iso-8859-1" Content-Disposition: attachment Content-Transfer-Encoding: 8bit This file has no name, but is HTML. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: evil.exe (evaluated as evil.exe) It might be a good idea to contact the sender and warn them that their system is infected. **** --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- This should get appended as postamble --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Disposition: attachment Content-Transfer-Encoding: quoted-printable This file has no name, but is text. Here's my QP test. =20 #!/bin/sh echo DEFANGED.100 exit #!/bin/sh [ "$1" =3D "-h" ] && cat <= test.log >test.out From xxx@example.com Thu Aug 3 07:32:10 2000 Return=2DPath: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message=2DId: <200008030639.GAA23780@example.com> MIME=2DVersion: 1.0 Sender: xxx@example.com Subject: Testing version 1.58 To: fake@example.com Content-Type: multipart/mixed; boundary=3D"=3DABACAB:=3D_0006@@UtD0uere5ZCI= rVlOp0vV" =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV Content=2DType: text/html; charset=3D"iso=2D8859=2D1" Content=2DDisposition: attachment Content=2DTransfer=2DEncoding: 8bit This file has no name, but is HTML. =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV=2D=2D Content=2DType: application/octet=2Dstream; charset=3D"evil" Content=2DDisposition: attachment; filename=3D"evil.exe" Content=2DTransfer=2DEncoding: 8bit this is a very evil file. =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV=2D=2D This should get appended as postamble =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV Content=2DType: text/plain; charset=3D"iso=2D8859=2D1"; format=3Dflowed Content=2DDisposition: attachment Content=2DTransfer=2DEncoding: quoted=2Dprintable This file has no name, but is text. Here's my QP test. =3D20 $QPDATA =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV Content=2DType: application/foobar; charset=3D"iso=2D8859=2D1" Content=2DDisposition: attachment Content=2DTransfer=2DEncoding: 8bit This file has no name, but is binary. =2D=2D=3DABACAB:=3D_0006@@UtD0uere5ZCIrVlOp0vV=2D=2D EOF echo "*** Exit code was $? ***" >>test.out exit 0 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: application/foobar; charset="iso-8859-1"; name="unknown.000" Content-Transfer-Encoding: 8bit Content-Disposition: attachment This file has no name, but is binary. --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="563"): SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): Match (rule="default"): Enforced policy: accept Part (pos="765"): SanitizeFile (filename="evil.exe", mimetype="application/octet-stream"): Match (names="evil.exe", rule="1"): Enforced policy: drop Replaced mime type with: text/plain Replaced file name with: DEFANGED-99.txt Part (pos="1053"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (rule="default"): Enforced policy: accept Defanged UNIX shell script(s). Part (pos="4075"): SanitizeFile (filename="unknown.000", mimetype="application/foobar"): No attachment name found, using default (unknown.000). Match (rule="default"): Enforced policy: accept Total modifications so far: 3 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rev1_60.ok0000644000175000017500000002553410356254446021543 0ustar agiagiDate: Tue, 27 May 2003 12:19:14 GMT From: aves-test-1054037954@bre.klaki.net Message-Id: <200305271219.h4RCJE921460@is105.filter.complex.is> To: bre@klaki.net Subject: Póstsíupróf (EXE skrá), beta0.is105.filter.complex.is, 12:19 27-05-2003Content-Type: multipart/mixed; boundary="filter-test-boundary" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="MIMEStream=_+testing99" Content-Disposition: inline --MIMEStream=_+testing99 Content-Type: multipart/alternative; boundary="MIMEStream=_+testing100" Content-Disposition: inline --MIMEStream=_+testing100 Content-Type: text/un.known+foo; charset="iso-8859-1"; name="unknown.000" Content-Disposition: inline Þetta er tilraunaskeyti til að láta reyna á uppsetningu póstsíu fyrir bre@klaki.net, sent gegnum vélina beta0.is105.filter.complex.is. Þetta skeyti er með eitt viðhengi sem þykist vera .EXE skrá. -- Bjarni R. Einarsson / FRISK Software International --------------------------v-------------------------------------------- Email: xxx@xxxxx.is | Company home page: http://www.frisk.is/ Phone/SMS: +354-XXXXXXX | Personal home page: http://bre.klaki.net/ --MIMEStream=_+testing100 Content-Type: text/html; charset="iso-8859-1" Content-Disposition: inline Þetta er tilraunaskeyti til að láta reyna á uppsetningu póstsíu fyrir bre@klaki.net, sent gegnum vélina beta0.is105.filter.complex.is.

Þetta skeyti er með eitt viðhengi sem þykist vera .EXE skrá. 

--
Bjarni R. Einarsson                      / FRISK Software International
--------------------------v--------------------------------------------
Email:     xxx@xxxxx.is   | Company home page:  http://www.frisk.is/
Phone/SMS: +354-XXXXXXX   | Personal home page: http://bre.klaki.net/
--MIMEStream=_+testing100-- --MIMEStream=_+testing99 Content-Type: text/plain; charset="iso-8859-1"; name="DEFANGED-102.txt" Content-Transfer-Encoding: 8bit Content-Disposition: inline; name="DEFANGED-102.txt" **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: foo.txt (evaluated as test.exe) It might be a good idea to contact the sender and warn them that their system is infected. **** --MIMEStream=_+testing99 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: foo.txt (evaluated as unnamed.exe) It might be a good idea to contact the sender and warn them that their system is infected. **** --MIMEStream=_+testing99 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Description: Renamed from 'evil.exe' to 'DEFANGED-104.txt' **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: unnamed.txt (evaluated as evil.exe) It might be a good idea to contact the sender and warn them that their system is infected. **** --MIMEStream=_+testing99 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-ID: **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: unnamed.txt (evaluated as evil.exe) It might be a good idea to contact the sender and warn them that their system is infected. **** --MIMEStream=_+testing99 Content-Type: application/pdf; charset="us-ascii" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="foo.txt" Content-ID: This is text file with a PDF MIME type. --MIMEStream=_+testing99 Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Using aves-test-1054037954@bre.klaki.net as reply-to address. Using aves-test-1054037954@bre.klaki.net as errors address. Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/mixed", boundary="filter-test-boundary", charset="iso-8859-1", undecoded-boundary="filter-test-boundary" Finished parsing message header. Parsing body as multipart/* CleanMultipart Replaced MIME boundary: >>filter-test-boundary<< with: >>MIMEStream=_+testing99<< Writer (pos="394"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/mixed", boundary="MIMEStream=_+testing99", charset="iso-8859-1", undecoded-boundary="filter-test-boundary" Total modifications so far: 7 ParserUnclosedMultipart Part (pos="417"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/alternative", boundary="filter-test-2bound", charset="iso-8859-1", undecoded-boundary="filter-test-2bound" Parsing body as multipart/* CleanMultipart Replaced MIME boundary: >>filter-test-2bound<< with: >>MIMEStream=_+testing100<< Writer (pos="96"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/alternative", boundary="MIMEStream=_+testing100", charset="iso-8859-1", undecoded-boundary="filter-test-2bound" ParserUnclosedMultipart Part (pos="117"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/un.known+foo", boundary="", charset="iso-8859-1" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unknown.000", mimetype="text/un.known+foo"): No attachment name found, using default (unknown.000). Rule 1: .exe$ Match (rule="default"): Enforced policy: accept Writer (pos="81"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/un.known+foo", boundary="", charset="iso-8859-1", name="unknown.000" Part (pos="704"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/html", boundary="", charset="iso-8859-1" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.html, filetype.html", mimetype="text/html"): Rule 1: .exe$ Match (rule="default"): Enforced policy: accept Writer (pos="73"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/html", boundary="", charset="iso-8859-1" Part (pos="1774"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="text/plain", boundary="", charset="us-ascii", filename="foo.txt", name="foo.txt" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="foo.txt, test.exe, unnamed.txt", mimetype="text/plain"): Rule 1: .exe$ Match (names="test.exe", rule="1"): Enforced policy: drop Replaced file name with: DEFANGED-102.txt Writer (pos="-170"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _id="", _type="text/plain", boundary="", charset="iso-8859-1", filename="DEFANGED-102.txt", name="DEFANGED-102.txt" Part (pos="2019"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="application/x-ms-dos-executable", boundary="", charset="us-ascii", filename="foo.txt" Parsing body as DEFAULT. CleanUnknown CleanText SanitizeFile (filename="foo.txt, unnamed.exe", mimetype="application/x-ms-dos-executable"): Rule 1: .exe$ Match (names="unnamed.exe", rule="1"): Enforced policy: drop Replaced mime type with: text/plain Replaced file name with: DEFANGED-103.txt Writer (pos="-206"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _id="", _type="text/plain", boundary="", charset="iso-8859-1", filename="DEFANGED-103.txt", name="DEFANGED-103.txt" Part (pos="2231"): ParseHeader (): Got MIME info: _boundpre="--", _description="evil.exe", _disposition="attachment", _encoding="8bit", _type="text/plain", boundary="", charset="us-ascii" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.txt, evil.exe", mimetype="text/plain"): Rule 1: .exe$ Match (names="evil.exe", rule="1"): Enforced policy: drop Replaced file name with: DEFANGED-104.txt Writer (pos="-220"): Set MIME info to: _boundpre="--", _description="Renamed from 'evil.exe' to 'DEFANGED-104.txt'", _disposition="inline", _encoding="8bit", _id="", _type="text/plain", boundary="", charset="iso-8859-1" Part (pos="2430"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _id=">", _type="text/plain", boundary="", charset="us-ascii" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.txt, evil.exe", mimetype="text/plain"): Rule 1: .exe$ Match (names="evil.exe", rule="1"): Enforced policy: drop Replaced file name with: DEFANGED-105.txt Writer (pos="-226"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _id="", _type="text/plain", boundary="", charset="iso-8859-1" Part (pos="2623"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _id="", _type="application/pdf", boundary="", charset="us-ascii", filename="foo.txt" Parsing body as DEFAULT. CleanUnknown CleanText SanitizeFile (filename="foo.txt, unnamed.pdf", mimetype="application/pdf"): Rule 1: .exe$ Match (rule="default"): Enforced policy: accept Writer (pos="158"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="8bit", _id="", _type="application/pdf", boundary="", charset="us-ascii", filename="foo.txt", name="foo.txt" --MIMEStream=_+testing99-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rev1_64.ok0000644000175000017500000000741510356254446021545 0ustar agiagiDate: Tue, 27 May 2003 12:19:14 GMT From: aves-test-1054037954@bre.klaki.net Message-Id: <200305271219.h4JE921460@is105.filter.complex.is> To: bre@klaki.net Subject: This is annoying Content-Type: multipart/mixed; boundary="filter-test-boundary" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --filter-test-boundary Content-Type: text/plain; filename="elephant.txt" begin_2004 with a kick to the head! Yes indeed - this would cuase infinit loops before, hope it doesn't do so no mo'. --filter-test-boundary Content-Type: text/plain; filename="stupid.pdf" Content-Disposition: inline Content-Transfer-Encoding: Quoted-Printable This is fake binary data which should: a) Be treated as Quoted-Printable from a system with CRLF as the newline standard. b) Be output as Base64 data, so it makes it intact to the recipient. --filter-test-boundary Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Using aves-test-1054037954@bre.klaki.net as reply-to address. Using aves-test-1054037954@bre.klaki.net as errors address. Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/mixed", boundary="filter-test-boundary", charset="iso-8859-1", undecoded-boundary="filter-test-boundary" Finished parsing message header. Parsing body as multipart/* CleanMultipart ParserUnclosedMultipart Part (pos="271"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/plain", boundary="", charset="iso-8859-1", filename="elephant.txt" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="elephant.txt", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="elephant.txt", rule="9"): Enforced policy: accept Escaped invalid uuencode preamble (http://www.rodos.net/outlook/#begin) Part (pos="465"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="quoted-printable", _type="text/plain", boundary="", charset="iso-8859-1", filename="stupid.pdf" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="stupid.pdf", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="stupid.pdf", rule="9"): Enforced policy: accept Total modifications so far: 1 --filter-test-boundary-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rev1_71.ok0000644000175000017500000002270510356254446021542 0ustar agiagiMessage-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Date: Wed, 25 May 2005 06:37:24 -0400 From: "Reilly" To: , , Subject: Fwd: FW: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part9FBC4474.1__=" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=__Part9FBC4474.1__= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Transfer-Encoding: quoted-printable Content-Disposition: inline >>> Barb 5/5/2005 5:20 PM >>> ---------- Forwarded message ---------- From: jolura@roobc.com =0ADate: May 3, 2005 9:13 AM=0ASub= ject: FW:=0ATo: barance@gxmail.com, dood@zbeo.com, deek@x.mail.co.uk,=0Aken= all@rors.om, sylvia@yahoo.ct =0A=0A= Ever wonder what stuffed animals do when you're not watching? __________________________________________________________________________= ________________________________________________________ This e-mail may be privileged and/or confidential, and the sender does not waive any related rights and obligations. Any distribution, use or copying of this e-mail or the information it contains by other than an intended recipient is unauthorized. If you received this e-mail in error, please advise me (by return e-mail or otherwise) immediately. Ce courrier =E9lectronique est confidentiel et prot=E9g=E9. L'exp=E9diteur = ne renonce pas aux droits et obligations qui s'y rapportent. Toute diffusion, utilisation ou copie de ce message ou des renseignements qu'il contient par une personne autre que le (les) destinataire(s) d=E9sign=E9(s) est interdite. Si vous recevez ce courrier =E9lectronique par erreur, veuillez m'en aviser imm=E9diatement, par retour de courrier =E9lectronique ou par un autre moyen. This message is intended only for the addressee, it may contain privileged and/or confidential information. Any unauthorized disclosure is strictly prohibited. If you have received this message in error, please notify us immediately so that we may correct our internal records. Please then delete the original message. E-mail transmissions cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of this e-mail transmission. If verification is required please request a hard-copy version. Thank you. --=__Part9FBC4474.1__= Content-Type: video/mpeg; name="Blaupunkt_Pimp_my_Rid_422B9.mpg" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="Blaupunkt_Pimp_my_Rid_422B9.mpg" AAABuiEAAQAJgBlTAAABuwAMgBlTBuH/4OBKwMAgAAABvgfcD/////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// wQM4EDAAdgBmAEIA/Adhu68gCqU4orcwohZkIYReYAC4EBAAEAAVBhSAEwBoGJSjAE6cNT+ZkbnC rDgxG7MswDWH+AMHje8X1AAgBAWAAqACoorIAdYB2TUMEhrfPh2wWu5ZCAoUQikYMKKKQjKyNttW gD0AQgDgAZZgE4CcMDC1gKM5ZNccBgp04P22NuuAFIIE4AwALkFlAIAwMDDwLgVTg0vsagmEzjAC MNARQ+EQ3vhFk1AZhpZaCtl/p4zbD/+q2gC0EC8AEAAu3wAfgByGocCwDpkofGch/oIWBJ/fxV60 AVggWwAvACsNAbEzgMQDX/gWISEct0mDAKEzYoEoD4vyADYEBSBAxQQNQlE0BiVgBwA6LzjQDVKS g3YUA6RuGheKOm/S7RUXOAHoIGMleIQwMPJAF0hfzE4PuyGgDUAvAG5NGEJBDAqGp4HskNSRWDm1 50AeAgHgA4AQMkBiksA1LNJfJRMAIkLC0+5wYAhAHQBgCEDAMCiv8CICgJgwl8BGBjNhKfpDIv1A BkCAbAC0Av+LAYpKATFcEX85LDQ4pAAM/rjAD4EA7AGABoyQKksBCWg/k1LFAkgaGwX/ZQGIA1Aq V2SAVAGTnYmpAKwHfAVAUIX5PT60AOgDUAx7pDCGXjyWAZl8MDAEQCACjfjwFKUQwqd5CgDMAeAG WALAHWK/wIgKAmDBrCQMYZgEf1oJoAjJoaXwwCgYhCRwIfwQwSQUhfoKBI/A3VJMAFQY2wFSaWQ0 AigqMAVAOsCQCkwY4JH6lNmDAwB0AaBjFIJgFCsO2KRsLZsFxF9PgDwAbgD/uTeBhA8BiWS+HAOi EMJmARpSLsYDoAZJAoUM4BqA7+YkFYmEIrAKkBgZvgt4hoAXgDYmKAD1Ab8fiEgshsCSDILiGgBi AYJAoQyyYTeWGlBiS8TOUGlBqRiOpBQahCU9x28RfogBeAMQKlAJwB6A6KAdgOyyEAgKYtBZNJaE hvAcZ2c/59dsAUAJiaBUmjcGBpNSGgVDEfBiBpYGCkjS+wvtjNUAOwMgUAHSA0Cr4CoA9AdlgVDR u40lFLb7rJPJ14kASAIADABMAXAOgA2QUMLDCi+XsEl9KN/0891nGQeuVQwEHtBA1QB2yADAAaAJ gBsTG2wDsAbkPEMhtsScAaAGhYxxSQE6IggmYFQB23AFIAtAHoA93PAYEwNABMAZL5wBYAgJSS0Y CRDDQ09dhcDp1BuQjpT2Rsv9Wwn9WD4hd2gDYAQADQAWBmJgBgAZAJgECNjiYTCkPx/bb/iz6m2g JwQMQASAUJvAoAwAdhoA1AduwBUANgwsAxTkgSSWQtwKEzgj/YaVPwBmCBoADXghBgA4AQAComd9 gKgDkmgByA7OPADYA0LQTNwFYCHi9E757saoecTzrUAPwQMoALgBwTeA6DQB+TCGAn3YAOAEGLAN QELqVwHQCbEMm4T0bC64EEz4A9WAJwBiAOQBi//4FAG4AbAGTASADwAyxCQGoMwBakm/4/2UAcAC wAbACwmYmAFwBkAmANAzAeAoQigzcX8Vs4fKV6QQdwAJwAAAbohAAWsRYAZUwAAAeAH7v/////// ////2BKDwBz/gBoAF3AYFJbYBOAKwKoAdFDD8koA0AoAVgV4JH5yF2HRATgCYAWgOyYWBUAUgBKG gOgKFI6Q0CgA0DEADoCmRn4FwGJfAdgGvY7komhjjjLANI4eR7uggYwA/AYgBOAP0gDoChfKAMAD QNxRNbpSgB2AxWrlBm6SaBjhBRCKdKS9wkmJRkzVjwDyawqoriwBmAPADQN4AIADBADsmgi/BDx/ //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// //////////////////////////////////////////////////////////////////////////// /////////////////////////////////8AA --=__Part9FBC4474.1__= Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Using "Reilly" as reply-to address. Using "Reilly" as errors address. Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/mixed", boundary="=__Part9FBC4474.1__=", charset="iso-8859-1", undecoded-boundary="=__Part9FBC4474.1__=" Finished parsing message header. Parsing body as multipart/* CleanMultipart ParserUnclosedMultipart Part (pos="338"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="quoted-printable", _type="text/plain", boundary="", charset="ISO-8859-1" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="unnamed.txt", rule="9"): Enforced policy: accept ParserForwardedMessage Part (pos="259"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/plain", boundary="", charset="iso-8859-1" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="unnamed.txt", rule="9"): Enforced policy: accept Part (pos="2556"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="base64", _type="video/mpeg", boundary="", charset="iso-8859-1", filename="Blaupunkt_Pimp_my_Rid_422B9.mpg", name="Blaupunkt_Pimp_my_Rid_422B9.mpg" Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="Blaupunkt_Pimp_my_Rid_422B9.mpg", mimetype="video/mpeg"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="Blaupunkt_Pimp_my_Rid_422B9.mpg", rule="9"): Enforced policy: accept ParserCat --=__Part9FBC4474.1__=-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rev1_75.ok0000644000175000017500000002263010356254446021543 0ustar agiagiMessage-Id: X-Mailer: Novell GroupWise Internet Agent 6.5.3 Date: Wed, 25 May 2005 06:37:24 -0400 From: "Reilly" To: , , Subject: Fwd: FW: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=__Part9FBC4474.1__=" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=__Part9FBC4474.1__= Content-Type: application/DEFANGED-99; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline MZevilfile in disguise! --=__Part9FBC4474.1__= Content-Type: application/DEFANGED-100; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="homey_pdf.DEFANGED-100" This is neither an HTML file nor a PDF. --=__Part9FBC4474.1__= Content-Type: application/DEFANGED-101; charset="ISO-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="homey_jpg.DEFANGED-101" This isn not a jpeg. --=__Part9FBC4474.1__= Content-Type: application/DEFANGED-102; charset="ISO-8859-1" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wmf-file_jpg.DEFANGED-102" AQAJAAADUh8AAAYAPQAAAAAAEQAAACYGDwAYAP//////ABAAAAAAAAAAAADAA4UA 0AIAAAkAAAAmBg8ACAD/////AgAAABcAAAAmBg8AIwD/////BAAbAFROUFAUACAA uAAyBgAA//9PABQAAABNAGkAAAAKAAAAJgYPAAoAVE5QUAAAAgD0AwkAAAAmBg8A CAD/////AwAAAA8AAAAmBg8AFABUTlBQBAAMAAEAAAABAAAAAAAAAAUAAAALAgAA AAAFAAAADALQAsADBAAAAAQBDQAHAAAA/AIAAAAAZgAAAAQAAAAtAQAACQAAAPoC --=__Part9FBC4474.1__= Content-Type: application/DEFANGED-103; charset="ISO-8859-1" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="wmf-file2_jpg.DEFANGED-103" AQAJAAADUh8AAAYAPQAAAAAAEQAAACYGDwAYAP//////ABAAAAAAAAAAAADAA4UA 0AIAAAkAAAAmBg8ACAD/////AgAAABcAAAAmBg8AIwD/////BAAbAFROUFAUACAA uAAyBgAA//9PABQAAABNAGkAAAAKAAAAJgYPAAoAVE5QUAAAAgD0AwkAAAAmBg8A CAD/////AwAAAA8AAAAmBg8AFABUTlBQBAAMAAEAAAABAAAAAAAAAAUAAAALAgAA AAAFAAAADALQAsADBAAAAAQBDQAHAAAA/AIAAAAAZgAAAAQAAAAtAQAACQAAAPoC --=__Part9FBC4474.1__= Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): ParseHeader (): Using "Reilly" as reply-to address. Using "Reilly" as errors address. Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="multipart/mixed", boundary="=__Part9FBC4474.1__=", charset="iso-8859-1", undecoded-boundary="=__Part9FBC4474.1__=" Finished parsing message header. Parsing body as multipart/* CleanMultipart ParserUnclosedMultipart Part (pos="338"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="inline", _encoding="8bit", _type="text/plain", boundary="", charset="ISO-8859-1" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="unnamed.txt, filetype.exe", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Match (names="filetype.exe", rule="7"): Enforced policy: defang Replaced mime type with: application/DEFANGED-99 Replaced file name with: filetype_exe.DEFANGED-99 Writer (pos="106"): Set MIME info to: _boundpre="--", _disposition="inline", _encoding="8bit", _id="", _type="application/DEFANGED-99", boundary="", charset="ISO-8859-1" Part (pos="492"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="image/jpeg", boundary="", charset="ISO-8859-1", filename="homey.pdf" Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="homey.pdf", mimetype="image/jpeg"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="homey.pdf", rule="9"): Enforced policy: accept File name doesn't match MIME type, defanging. Replaced mime type with: application/DEFANGED-100 Replaced file name with: homey_pdf.DEFANGED-100 Writer (pos="133"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="application/DEFANGED-100", boundary="", charset="ISO-8859-1", filename="homey_pdf.DEFANGED-100", name="homey_pdf.DEFANGED-100" ParserCat Part (pos="689"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="text/plain", boundary="", charset="ISO-8859-1", filename="homey.jpg" Parsing body as text/* CleanUnknown CleanText SanitizeFile (filename="homey.jpg", mimetype="text/plain"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="homey.jpg", rule="9"): Enforced policy: accept File name doesn't match file contents, defanging. Replaced mime type with: application/DEFANGED-101 Replaced file name with: homey_jpg.DEFANGED-101 Writer (pos="133"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="8bit", _type="application/DEFANGED-101", boundary="", charset="ISO-8859-1", filename="homey_jpg.DEFANGED-101", name="homey_jpg.DEFANGED-101" Part (pos="867"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="base64", _type="image/jpeg", boundary="", charset="ISO-8859-1", filename="wmf-file.jpg" Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="wmf-file.jpg, filetype.wmf", mimetype="image/jpeg"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="wmf-file.jpg, filetype.wmf", rule="9"): Enforced policy: accept File name doesn't match file contents, defanging. Replaced mime type with: application/DEFANGED-102 Replaced file name with: wmf-file_jpg.DEFANGED-102 Writer (pos="138"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="base64", _type="application/DEFANGED-102", boundary="", charset="ISO-8859-1", filename="wmf-file_jpg.DEFANGED-102", name="wmf-file_jpg.DEFANGED-102" ParserCat Part (pos="1354"): ParseHeader (): Got MIME info: _boundpre="--", _disposition="attachment", _encoding="base64", _type="image/jpeg", boundary="", charset="ISO-8859-1", filename="wmf-file2.jpg" Parsing body as DEFAULT. CleanUnknown SanitizeFile (filename="wmf-file2.jpg, filetype.wmf", mimetype="image/jpeg"): Rule 1: (?i)(\.([0-9a-z_]{2,4}\.(com|exe|pif|lnk|bat|sc[rt]|vb[se]?))|(ants3set|wtc|readme|sslpatch)\.exe)\.?$ Rule 5: (?i)\.(do[tc]|xl[aswct]|p[po]t|pps|rtf|md[abw])$ Rule 7: (?i)\.(exe|com|cmd|bat|sys|vb[se]?|hta|shb|shs|hlp|chm|eml|ocx|wsf|wsh|js|msi|msp|cpl|lib|pif|sc[rt]|lnk|dll)\.?$ Rule 9: (?i)\.(gif|tiff?|jpe?g|pn[mg]|x[pb]m|dvi|e?ps|p(df|cx|fm)|fdf|fon|[ot]tf|bmp|ico|mp\d|wav|au|ram?|avi|mov|mpe?g|aif[fc]?|cda|midi?|asf|wm[avf]|t(xt|ex)|csv|l(og|yx)|ini|[ch](pp|\+\+)?|cc|hh|s|inc|asm|pa(tch|s)|java|php\d?|[ja]sp|[sp]?html?|css|xml)(\.[gb]?z\d?)?\.?$ Match (names="wmf-file2.jpg, filetype.wmf", rule="9"): Enforced policy: accept File name doesn't match file contents, defanging. Replaced mime type with: application/DEFANGED-103 Replaced file name with: wmf-file2_jpg.DEFANGED-103 Writer (pos="139"): Set MIME info to: _boundpre="--", _disposition="attachment", _encoding="base64", _type="application/DEFANGED-103", boundary="", charset="ISO-8859-1", filename="wmf-file2_jpg.DEFANGED-103", name="wmf-file2_jpg.DEFANGED-103" ParserCat Total modifications so far: 5 --=__Part9FBC4474.1__=-- *** Exit code was 0 *** sanitizer-1.76/testcases/results.def/sanitizer.rfc822.ok0000644000175000017500000000332310046711775021356 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV X-DEFANGED[99]-MAC-Something: Used by Eudora Content-Type: application/DEFANGED-99; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="BLACKLISTED.DEFANGED-99" #!/bin/sh echo DEFANGED.100 exit #!/bin/bash # blah blah blah blah blah blah blah --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="533"): SanitizeFile (filename="this.is.ev(with a comment)il, this.is.evil", mimetype="text/plain"): Match (names="this.is.evil", rule="1"): Enforced policy: mangle Defanged part's X-Mac headers. Replaced mime type with: application/DEFANGED-99 Replaced file name with: BLACKLISTED.DEFANGED-99 Defanged UNIX shell script(s). Total modifications so far: 2 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- sanitizer-1.76/testcases/results.def/sanitizer.tnef.ok0000644000175000017500000002533110356254447021311 0ustar agiagiFrom bre Fri May 17 19:33:45 2002 Return-Path: Received: (from bre@localhost) by monique.frisk-software.com (8.11.2/8.11.2) id g4HJXjK19121 for bre@monique.frisk-software.com; Fri, 17 May 2002 19:33:45 GMT Date: Fri, 17 May 2002 19:33:45 +0000 From: =?iso-8859-1?Q?Bjarni_R=FAnar_Einarsson?= To: =?iso-8859-1?Q?Bjarni_R=FAnar_Einarsson?= Subject: Foo!!! Message-ID: <20020517193345.A14401@monique.frisk-software.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="oyUTqETQ0mS9luUI" Content-Disposition: inline User-Agent: Mutt/1.2.5i Status: RO X-FUBAR-Content-Length: 7496 X-FUBAR-Lines: 113 X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --oyUTqETQ0mS9luUI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline ldkj --oyUTqETQ0mS9luUI X-Content-Type: application/ms-tnef X-Content-Disposition: attachment; filename="winmail.dat" X-Content-Transfer-Encoding: base64 Content-Type: multipart/mixed; boundary="TNEFStream-TESTING-1" Content-Transfer-Encoding: 8bit Content-Type: text/plain Content-Transfer-Encoding: 8bit --TNEFStream-TESTING-1 X-TNEF-TnefVersion: AAABAA== X-TNEF-OemCodepage: 5AQAAAAAAAA= X-TNEF-MessageClass: SVBNLk1pY3Jvc29mdCBNYWlsLk5vdGUA X-TNEF-Priority: AgA= X-TNEF-DateRecd: Thu May 25 05:15:00 2002 X-TNEF-MAPIProps: [body 5] Content-Type: application/DEFANGED-100 Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="MAPIProps_dat.DEFANGED-100" IwAAAAsAAgABAAAACwAjAAAAAAADACYAAAAAAAsAKQAAAAAACwArAAAAAAADAC4AAAAAAAMA NgAAAAAAHgBwAAEAAAA4AAAAY29tcGFuaWVzIG1lcmdlIHRvIGZvcm0gbmV3ICdEaWdpdGFs IE1lZGlhIEdyb3VwJy4uLi4uLgACAXEAAQAAACAAAAABweXwTHgnPJChqoNGTaMr3FLikbiQ AAfr1FcBf8czAAIBHQwBAAAAGgAAAFNNVFA6REFWSURNQERNR0VVUk9QRS5DT00AAAALAAEO AAAAAEAABg4Auv7DD+zBAQIBCg4BAAAAGAAAAAAAAABok7f0eg54S7RQkWtg7qZSwoAAAB4A QhABAAAASgAAADw3RTgyRDYyQkIxRUVBOTRFOTczNTc2MDM2M0I0MTBGRjAxRUIwMEBtb3Jw aGV1cy5oZWFkcXVhcnRlci5zbWFydHZyLmNvbT4AAAALAAGACCAGAAAAAADAAAAAAAAARgAA AAADhQAAAAAAAAMAA4AIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAACwAEgAggBgAAAAAA wAAAAAAAAEYAAAAAFIUAAAEAAAADAAeACCAGAAAAAADAAAAAAAAARgAAAABShQAAJ2oBAB4A CYAIIAYAAAAAAMAAAAAAAABGAAAAAFSFAAABAAAABAAAADkuMAAeAAqACCAGAAAAAADAAAAA AAAARgAAAAA2hQAAAQAAAAEAAAAAAAAAHgALgAggBgAAAAAAwAAAAAAAAEYAAAAAN4UAAAEA AAABAAAAAAAAAB4ADIAIIAYAAAAAAMAAAAAAAABGAAAAADiFAAABAAAAAQAAAAAAAAALAA2A CCAGAAAAAADAAAAAAAAARgAAAACChQAAAQAAAAsAGIAIIAYAAAAAAMAAAAAAAABGAAAAAAaF AAAAAAAAAwAZgAggBgAAAAAAwAAAAAAAAEYAAAAAAYUAAAAAAABAABuACCAGAAAAAADAAAAA AAAARgAAAABghQAAAAAAAAAAAAALACKACCAGAAAAAADAAAAAAAAARgAAAAAOhQAAAAAAAAMA I4AIIAYAAAAAAMAAAAAAAABGAAAAABGFAAAAAAAAAwAlgAggBgAAAAAAwAAAAAAAAEYAAAAA GIUAAAAAAAACAfgPAQAAABAAAABok7f0eg54S7RQkWtg7qZSAgH6DwEAAAAQAAAAaJO39HoO eEu0UJFrYO6mUgIB+w8BAAAAcwAAAAAAAAA4obsQBeUQGqG7CAArKlbCAABQU1RQUlguRExM AAAAAAAAAABOSVRB+b+4AQCqADfZbgAAAEM6XFdJTkRPV1NcQXBwbGljYXRpb24gRGF0YVxN aWNyb3NvZnRcT3V0bG9va1xvdXRsb29rLnBzdAAAAwD+DwUAAAADAA00/TcAAAIBfwABAAAA NAAAADxISUVMTEVGQVBKUElOSEJLTk1GTUNFQ1BDR0FBLmRhdmlkbUBkbWdldXJvcGUuY29t PgA= --TNEFStream-TESTING-1 X-TNEF-AttachRenddata: AQD/////IAAgAAAAAAA= X-TNEF-AttachModifyDate: Thu May 25 05:15:06 2002 X-TNEF-AttachMetaFile: AQAJAAADygYAAAAAIQYAAAAABQAAAAEC////AAUAAAAJAgAAAAAEAAAABwEBAGUA AABBC8YAiAAgACAAAAAAACAAIAAAAAAAKAAAACAAAAAgAAAAAQABAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAD///8AAAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/ AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/AAAA/wAAAP8AAAD/ AAAA/wAAAP8AAAD/AAAAfwAAAD8AAAAfAAAADwAAAAcAAAGDAAADwQAAB+AAAA/w AAAf+AAAP/8EAAAABwEBAAUAAAAJAgEAAAAFAAAAAQIBAAAABQAAAAEC////AAUA AAAJAgAAAAAEAAAABwEDACEGAABBC0YAZgAgACAAAAAAACAAIAAAAAAAKAAAACAA AAAgAAAAAQAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgMDAwMDAwMDAwMDA wMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA wMDAwMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wAA AAAAAAAAAP/4///4///4/wAAAAAAAAAAAP/4///4///4/wAAAAAAAAAAAAAAAP/4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gMDAwACAgAAAAAAAAAAAAAD4/8DAwAD4/wAAAAAAAAAAAACAgMDAwACAgAAAAP/4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/wCAgAAAAP/4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 /wCAgAD4/8DAwACAgACAgACAgACAgACAgACAgACAgACAgAD4/wCAgAAAAP/4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4/wCAgAD4/wAAAP/4///4///4///4///4///4/wCAgMDAwAAAAP/4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4/wCAgMDAwAAAAAAA///4///4///4///4///4/wCAgAD4/wAAAP/4///4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 /wCAgACAgAD4/wAAAAAA/wAA/wAAAAAAAAAAAAAAAAAAAAAAAACAgAAAAP/4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 /wCAgAD4/8DAwAAAAAAA/wAAAAAAgAAAgMDAwMDAwAAAAAAAAAAAAAAAAP/4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 /wCAgACAgAD4/wAAAAAA/wAA/wAA/wAA/wAAgP/4/8DAwAAAAAAAAAAAAP/4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4/wCAgMDAwAAAAAAA/wAA/wAA/wAA/wAA/wAAgICAgICAgAAAAAAAAP/4///4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4/wCAgAD4/wAAAAAA/wAA/wAA/wAA/wAA/wAA/wCAgICAgP/4/wD4/wAAAP/4 ///4/8DAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 /wCAgAD4/8DAwAAAAAAA/wAA/wAA/wAA/wAA/wAA/wCAgAD4/4CAgP/4/wD4/wAA AAAAAMDAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gACAgMDAwAD4/wAAAAAAAAAAAAAAAAAAAAAAAAAAAACAgMDAwACAgICAgP/4//8A AIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gMDAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwAD4/8DAwACAgIAAAP/4 AP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gAD4/wCAgACAgACAgACAgACAgAD4/wCAgACAgACAgACAgACAgAD4/wCAgAAAAIAA AP/4AP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4/wCA gACAgACAgP/4///4///4/wCAgACAgACAgP/4///4///4/wCAgACAgACAgAAAAP/4 /4AAAP/4AP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/4AAAP/4AP8AAP8AAAAAAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4///4 ///4/8DAwIAAAP/4AP8AAP8AAAAAAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgAAAAAAAAAAA AAAAAAAAAAAAAIAAAP/4AP8AAP8AAAAAAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgP/4///4/8DA wICAgAAAAAAAAAAAAIAAAP/4AP8AAP8AAAAAAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgP/4/8DAwICA gAAAAAAAAAAAAAAAAAAAAIAAAP/4AP8AAP8AAAAAAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgMDAwICAgAAA AAAAAAAAAAAAAAAAAAAAAAAAAIAAAP/4AP8AAP8AAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgICAgAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAP/4AP8AAAAAAICAgP/4///4///4///4 ///4///4///4///4///4///4///4///4///4///4///4///4/4CAgAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAIAAAAAAAICAgICAgICAgICAgICA gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAHAQEABQAAAAkC AQAAAAUAAAABAgEAAAADAAAAAAA= X-TNEF-AttachData: [body 9] X-TNEF-AttachFileName: aW1hZ2UwMDEuanBnAA== X-TNEF-Attachment: EwAAAAMAIA5U9gAAHgABMAEAAAANAAAAaW1hZ2UwMDEuanBnAAAAAAIBAjcBAAAA AAAAAB4AAzcBAAAABQAAAC5qcGcAAAAAAwAFNwEAAAAeAAc3AQAAAA0AAABpbWFn ZTAwMS5qcGcAAAAAAwALN/////8eAA43AQAAAAsAAABpbWFnZS9qcGVnAAAeABI3 AQAAAB8AAABpbWFnZTAwMS5qcGdAMDFDMUVDMTguMjgwODdFMjAAAAMA+n8AAAAA QAD7fwBA3aNXRbMMQAD8fwBA3aNXRbMMAwD9fwAAAAALAP5/AQAAAAMAIQ5FIAIA AgH4DwEAAAAQAAAAaJO39HoOeEu0UJFrYO6mUgIB+g8BAAAAEAAAAGiTt/R6DnhL tFCRa2DuplICAfsPAQAAAHMAAAAAAAAAOKG7EAXlEBqhuwgAKypWwgAAUFNUUFJY LkRMTAAAAAAAAAAATklUQfm/uAEAqgA32W4AAABDOlxXSU5ET1dTXEFwcGxpY2F0 aW9uIERhdGFcTWljcm9zb2Z0XE91dGxvb2tcb3V0bG9vay5wc3QAAAMA/g8HAAAA Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: inline **** NOTE: An attachment was deleted from this part of the message, because it failed one or more checks by the virus scanning system. See the attached sanitization log for more details or contact your system administrator. The removed attachment's name was: image001.jpg (evaluated as image001.jpg) It might be a good idea to contact the sender and warn them that their system is infected. **** --TNEFStream-TESTING-1-- --oyUTqETQ0mS9luUI Content-Type: text/sanitizer-log; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename="sanitizer.log" This message has been 'sanitized'. This means that potentially dangerous content has been rewritten or removed. The following log describes which actions were taken. Sanitizer (start="0"): Part (pos="712"): SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): ScanFile (file="./.tmp.ABC"): Scan succeeded, file is clean. Enforced policy: unknown Match (names="unnamed.txt", rule="9"): Enforced policy: accept Part (pos="809"): Converted Microsoft TNEF encoded data to MIME. Part (pos="125"): Part (pos="23"): SanitizeFile (filename="MAPIProps.dat", mimetype="application/octet-stream"): Match (names="MAPIProps.dat", rule="2"): ScanFile (file="./.tmp.DEF"): Scan succeeded, file is clean. Enforced policy: unknown Match (rule="default"): Enforced policy: defang Replaced mime type with: application/DEFANGED-100 Replaced file name with: MAPIProps_dat.DEFANGED-100 Part (pos="1925"): SanitizeFile (filename="image001.jpg", mimetype="application/octet-stream"): Match (names="image001.jpg", rule="2"): ScanFile (file="./.tmp.GHI"): File was infected, the virus checker couldn't fix it. Enforced policy: drop Replaced mime type with: text/plain Replaced file name with: DEFANGED-101.txt Total modifications so far: 3 --oyUTqETQ0mS9luUI-- sanitizer-1.76/testcases/results.def/sanitizer.uu-rfc822.ok0000644000175000017500000001014310252331616021772 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> MIME-Version: 1.0 Sender: xxx@example.com To: fake@example.com Content-Type: multipart/mixed; boundary="=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV" X-Sanitizer: This message has been sanitized! X-Sanitizer-URL: http://mailtools.anomy.net/ --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit This is the text part that contains a uuencoded message with some really evil, icky headers that need truncating. begin_664 testfile this is not uuencoded data begin testfile.DEFANGED-100 M1G)O;2!X>'A`97AA;7!L92YC;VT@(%1H=2!!=6<@(#,@,#$!E>&%M<&QE+F-O;3X*4F5C96EV960Z(&9R M;VT@97AA;7!L92YC;VT@*')O;W1`97AA;7!L92YC;VT@6S$T.2XQ-#0N,C0U M+C5=*0H)8GD@97AA;7!L92YC;VT@*#@N.2XS+S@N.2XS*2!W:71H($533510 M(&ED($A!03`Q,S`U"@EF;W(@/&)R94!E>&%M<&QE+F-O;3X[(%1H=2P@,R!! M=6<@,C`P,"`P-SHS,CHP,R!'350*1G)O;3H@>'AX0&5X86UP;&4N8V]M"D1A M=&4Z(%1H=2P@,R!!=6<@,C`P,"`P-CHS.3HU.2!)3D-214%$24),64Q/3D=4 M24U%6D].149)14Q$"DUE'AX0&5X86UP;&4N8V]M"E1O.B!F M86ME0&5X86UP;&4N8V]M($1%1D%.1T5$6S$P,5TZ=VET:&%R96%L;'ER96%L M;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER M96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L M;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER M96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L M;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER96%L;'ER M96%L;'ER96%L;'ER96%L;"`B("(@1$5&04Y'141;,3`Q73IY&5D.R!B;W5N9&%R M>3TB/75C:WDB"@H*+2T]=6-K>0I#;VYT96YT+51Y<&4Z('1E>'0O<&QA:6X[ M(&-H87)S970](FES;RTX.#4Y+3$B"D-O;G1E;G0M5')A;G-F97(M16YC;V1I 4;F40 bytes ) MIME encoding from: >>eviiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiil<< to >>8bit<< Split unusually long word(s) in header. SanitizeFile (filename="unnamed.txt", mimetype="text/plain"): Match (names="unnamed.txt", rule="2"): Enforced policy: accept Total modifications so far: 5 --=ABACAB:=_0006@@UtD0uere5ZCIrVlOp0vV-- sanitizer-1.76/testcases/results.def/sanitizer.fprotd.ok.rot130000644000175000017500000001565710274640610022622 0ustar agiagiSebz kkk@rknzcyr.pbz Guh Nht 3 07:32:10 2000 Erghea-Cngu: Erprvirq: sebz rknzcyr.pbz (ebbg@rknzcyr.pbz [149.144.245.5]) ol rknzcyr.pbz (8.9.3/8.9.3) jvgu RFZGC vq UNN01305 sbe ; Guh, 3 Nht 2000 07:32:03 TZG Sebz: kkk@rknzcyr.pbz Qngr: Guh, 3 Nht 2000 06:39:59 TZG Zrffntr-Vq: <200008030639.TNN23780@rknzcyr.pbz> Fraqre: kkk@rknzcyr.pbz Fhowrpg: Ryrcunag zna! -abscebg Gb: snxr@rknzcyr.pbz K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ ZVZR-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel="Grfg_Jenccre_Obhaqnel" Pbagrag-Genafsre-Rapbqvat: 8ovg --Grfg_Jenccre_Obhaqnel Pbagrag-Glcr: nccyvpngvba/QRSNATRQ-99 Pbagrag-Genafsre-Rapbqvat: 8ovg K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U* --Grfg_Jenccre_Obhaqnel Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): CnefrUrnqre (): Hfvat kkk@rknzcyr.pbz nf ercyl-gb nqqerff. Hfvat nf reebef nqqerff. Tbg ZVZR vasb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _glcr="nccyvpngvba/bpgrg-fgernz", obhaqnel="", punefrg="vfb-8859-1" Svavfurq cnefvat zrffntr urnqre. Sbepvat zrffntr gb or zhygvcneg/zvkrq, gb snpvyvgngr ybttvat. Cnefvat obql nf nccyvpngvba/bpgrg-fgernz JencJvguZhygvcneg Jevgre (cbf="518"): Frg ZVZR vasb gb: _obhaqcer="--", _rapbqvat="8ovg", _glcr="zhygvcneg/zvkrq", _irefvba="1.0", obhaqnel="Grfg_Jenccre_Obhaqnel" PyrnaZhygvcneg CnefreHapybfrqZhygvcneg Cneg (cbf="542"): CnefrUrnqre (): Tbg ZVZR vasb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _glcr="nccyvpngvba/bpgrg-fgernz", obhaqnel="", punefrg="vfb-8859-1" Cnefvat obql nf QRSNHYG. PyrnaHaxabja FnavgvmrSvyr (svyranzr="haanzrq.ova", zvzrglcr="nccyvpngvba/bpgrg-fgernz"): Ehyr 1: (?v)(\.([0-9n-m_]{2,4}\.(pbz|rkr|cvs|yax|ong|fp[eg]|io[fr]?))|(nagf3frg|jgp|ernqzr|ffycngpu)\.rkr)\.?$ Ehyr 5: (?v)\.(qb[gp]|ky[nfjpg]|c[cb]g|ccf|egs|zq[noj])$ Ehyr 7: (?v)\.(rkr|pbz|pzq|ong|flf|io[fr]?|ugn|fuo|fuf|uyc|puz|rzy|bpk|jfs|jfu|wf|zfv|zfc|pcy|yvo|cvs|fp[eg]|yax|qyy)\.?$ Ehyr 9: (?v)\.(tvs|gvss?|wcr?t|ca[zt]|k[co]z|qiv|r?cf|c(qs|pk|sz)|sqs|sba|[bg]gs|ozc|vpb|zc\q|jni|nh|enz?|niv|zbi|zcr?t|nvs[sp]?|pqn|zvqv?|nfs|jz[nis]|g(kg|rk)|pfi|y(bt|lk)|vav|[pu](cc|\+\+)?|pp|uu|f|vap|nfz|cn(gpu|f)|wnin|cuc\q?|[wn]fc|[fc]?ugzy?|pff|kzy)(\.[to]?m\q?)?\.?$ Ehyr 11: (?v)\.(m(vc|bb)|ne[pw]|yu[nm]|[ge]ne|e\q\q|ecz|qro|fyc|gtm|pno|vfb|pvs|hhr?|wne)(\.[to]?m\q?)?\.?$ Ehyr 13: (?v)\.(qb[gp]|ky[nfjpg]|c[cb]g|ccf|egs|zq[noj])(\.[to]?m\q?)?\.?$ Ehyr 15: (?v)\.(zok|ips|c7[fz]|vpf|ctc|tct|nfp|3qf|net|qjt|qks|qjg|qat|qos|qpy|yfc|zc[ncqjr]|cfq|cep|dg|fgk|fjs)(\.[to]?m\q?)?\.?$ Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qrsnat Ercynprq zvzr glcr jvgu: nccyvpngvba/QRSNATRQ-99 Ercynprq svyr anzr jvgu: haanzrq_ova.QRSNATRQ-99 Jevgre (cbf="72"): Frg ZVZR vasb gb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _vq="", _glcr="nccyvpngvba/QRSNATRQ-99", obhaqnel="", punefrg="vfb-8859-1" CnefrePng Gbgny zbqvsvpngvbaf fb sne: 1 --Grfg_Jenccre_Obhaqnel-- Sebz kkk@rknzcyr.pbz Guh Nht 3 07:32:10 2000 Erghea-Cngu: Erprvirq: sebz rknzcyr.pbz (ebbg@rknzcyr.pbz [149.144.245.5]) ol rknzcyr.pbz (8.9.3/8.9.3) jvgu RFZGC vq UNN01305 sbe ; Guh, 3 Nht 2000 07:32:03 TZG Sebz: kkk@rknzcyr.pbz Qngr: Guh, 3 Nht 2000 06:39:59 TZG Zrffntr-Vq: <200008030639.TNN23780@rknzcyr.pbz> Fraqre: kkk@rknzcyr.pbz Fhowrpg: Ryrcunag zna! -lrfscebg Gb: snxr@rknzcyr.pbz K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ ZVZR-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel="Grfg_Jenccre_Obhaqnel" Pbagrag-Genafsre-Rapbqvat: 8ovg --Grfg_Jenccre_Obhaqnel Pbagrag-Glcr: nccyvpngvba/QRSNATRQ-99 Pbagrag-Genafsre-Rapbqvat: 8ovg K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U* --Grfg_Jenccre_Obhaqnel Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): CnefrUrnqre (): Hfvat kkk@rknzcyr.pbz nf ercyl-gb nqqerff. Hfvat nf reebef nqqerff. Tbg ZVZR vasb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _glcr="nccyvpngvba/bpgrg-fgernz", obhaqnel="", punefrg="vfb-8859-1" Svavfurq cnefvat zrffntr urnqre. Sbepvat zrffntr gb or zhygvcneg/zvkrq, gb snpvyvgngr ybttvat. Cnefvat obql nf nccyvpngvba/bpgrg-fgernz JencJvguZhygvcneg Jevgre (cbf="519"): Frg ZVZR vasb gb: _obhaqcer="--", _rapbqvat="8ovg", _glcr="zhygvcneg/zvkrq", _irefvba="1.0", obhaqnel="Grfg_Jenccre_Obhaqnel" PyrnaZhygvcneg CnefreHapybfrqZhygvcneg Cneg (cbf="543"): CnefrUrnqre (): Tbg ZVZR vasb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _glcr="nccyvpngvba/bpgrg-fgernz", obhaqnel="", punefrg="vfb-8859-1" Cnefvat obql nf QRSNHYG. PyrnaHaxabja FnavgvmrSvyr (svyranzr="haanzrq.ova", zvzrglcr="nccyvpngvba/bpgrg-fgernz"): Ehyr 1: (?v)(\.([0-9n-m_]{2,4}\.(pbz|rkr|cvs|yax|ong|fp[eg]|io[fr]?))|(nagf3frg|jgp|ernqzr|ffycngpu)\.rkr)\.?$ Ehyr 2: .* Zngpu (anzrf="haanzrq.ova", ehyr="2"): Fnirq nggnpuzrag nf SVYR (69 olgrf, qvtrfg 69630r4574rp6798239o091pqn43qpn0np66op654757202q33sr6s8006p1159n). FpnaSvyr (svyr="SVYR /hfe/ybpny/ova/s-cebg -nv -nepuvir -qhzo %SVYRANZR Fpna pzq: /hfe/ybpny/ova/s-cebg -nv -nepuvir -qhzo SVYR S-CEBG NAGVIVEHF IVEHF FVTANGHER SVYRF Frnepu: SVYR Npgvba: Ercbeg bayl Svyrf: "Qhzo" fpna bs nyy svyrf Fjvgpurf: -NEPUVIR -CNPXRQ -FREIRE -NV SVYR Vasrpgvba: RVPNE_Grfg_Svyr Erfhygf bs ivehf fpnaavat: Svyrf: 1 ZOEf: 0 Obbg frpgbef: 0 Bowrpgf fpnaarq: 1 Vasrpgrq: 1 Fhfcvpvbhf: 0 Qvfvasrpgrq: 0 Qryrgrq: 0 Eranzrq: 0 Svyr jnf vasrpgrq, gur ivehf purpxre pbhyqa'g svk vg. Rasbeprq cbyvpl: znatyr Ercynprq zvzr glcr jvgu: nccyvpngvba/QRSNATRQ-99 Ercynprq svyr anzr jvgu: OYNPXYVFGRQ.QRSNATRQ-99 Jevgre (cbf="141"): Frg ZVZR vasb gb: _obhaqcer="--", _qvfcbfvgvba="vayvar", _rapbqvat="8ovg", _vq="", _glcr="nccyvpngvba/QRSNATRQ-99", obhaqnel="", punefrg="vfb-8859-1" CnefrePng Gbgny zbqvsvpngvbaf fb sne: 1 --Grfg_Jenccre_Obhaqnel-- sanitizer-1.76/testcases/results.def/sanitizer.msg-crlf.ok.rot130000644000175000017500000002406310356254524023033 0ustar agiagiErghea-Cngu: Qngr: Jrq, 15 Nht 2001 13:11:46 +0000 Sebz: Owneav Gb: qbbq@qbbq.pbz Fhowrpg: Zbaxrltnzr Zrffntr-VQ: <02001511533181391.N16415@xynxv.arg> Zvzr-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel=aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[99] K-Rivy-Urnqre: obb K-Znvyre: Zhgg 0.95v K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ --aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[101] K-Rivy-Urnqre: obb Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: haanzrq.gkg (rinyhngrq nf haanzrq.gkg) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: vayvar **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: cbat.rkr (rinyhngrq nf cbat.rkr) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="328"): FnavgvmrSvyr (svyranzr="haanzrq.gkg", zvzrglcr="grkg/cynva"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq svyr anzr jvgu: QRSNATRQ-100.gkg Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="428"): FnavgvmrSvyr (svyranzr="cbat.rkr, svyrglcr.rkr", zvzrglcr="nccyvpngvba/k-zfqbf-cebtenz"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq zvzr glcr jvgu: grkg/cynva Ercynprq svyr anzr jvgu: QRSNATRQ-102.gkg Gbgny zbqvsvpngvbaf fb sne: 4 --aSerMUnYGMWb0E7w-- *** Rkvg pbqr jnf 0 *** Erghea-Cngu: Qngr: Jrq, 15 Nht 2001 13:11:46 +0000 Sebz: Owneav Gb: qbbq@qbbq.pbz Fhowrpg: Zbaxrltnzr Zrffntr-VQ: <02001511533181391.N16415@xynxv.arg> Zvzr-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel=aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[99] K-Rivy-Urnqre: obb K-Znvyre: Zhgg 0.95v K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ --aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[101] K-Rivy-Urnqre: obb Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: haanzrq.gkg (rinyhngrq nf haanzrq.gkg) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: vayvar **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: cbat.rkr (rinyhngrq nf cbat.rkr) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="328"): FnavgvmrSvyr (svyranzr="haanzrq.gkg", zvzrglcr="grkg/cynva"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq svyr anzr jvgu: QRSNATRQ-100.gkg Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="428"): FnavgvmrSvyr (svyranzr="cbat.rkr, svyrglcr.rkr", zvzrglcr="nccyvpngvba/k-zfqbf-cebtenz"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq zvzr glcr jvgu: grkg/cynva Ercynprq svyr anzr jvgu: QRSNATRQ-102.gkg Gbgny zbqvsvpngvbaf fb sne: 4 --aSerMUnYGMWb0E7w-- *** Rkvg pbqr jnf 0 *** Erghea-Cngu: Qngr: Jrq, 15 Nht 2001 13:11:46 +0000 Sebz: Owneav Gb: qbbq@qbbq.pbz Fhowrpg: Zbaxrltnzr Zrffntr-VQ: <02001511533181391.N16415@xynxv.arg> Zvzr-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel=aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[99] K-Rivy-Urnqre: obb K-Znvyre: Zhgg 0.95v K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ --aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[101] K-Rivy-Urnqre: obb Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: haanzrq.gkg (rinyhngrq nf haanzrq.gkg) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: vayvar **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: cbat.rkr (rinyhngrq nf cbat.rkr) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="328"): FnavgvmrSvyr (svyranzr="haanzrq.gkg", zvzrglcr="grkg/cynva"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq svyr anzr jvgu: QRSNATRQ-100.gkg Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="428"): FnavgvmrSvyr (svyranzr="cbat.rkr, svyrglcr.rkr", zvzrglcr="nccyvpngvba/k-zfqbf-cebtenz"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq zvzr glcr jvgu: grkg/cynva Ercynprq svyr anzr jvgu: QRSNATRQ-102.gkg Gbgny zbqvsvpngvbaf fb sne: 4 --aSerMUnYGMWb0E7w-- *** Rkvg pbqr jnf 0 *** Erghea-Cngu: Qngr: Jrq, 15 Nht 2001 13:11:46 +0000 Sebz: Owneav Gb: qbbq@qbbq.pbz Fhowrpg: Zbaxrltnzr Zrffntr-VQ: <02001511533181391.N16415@xynxv.arg> Zvzr-Irefvba: 1.0 Pbagrag-Glcr: zhygvcneg/zvkrq; obhaqnel=aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[99] K-Rivy-Urnqre: obb K-Znvyre: Zhgg 0.95v K-Fnavgvmre: Guvf zrffntr unf orra fnavgvmrq! K-Fnavgvmre-HEY: uggc://znvygbbyf.nabzl.arg/ --aSerMUnYGMWb0E7w K-Whax: QRSNATRQ[101] K-Rivy-Urnqre: obb Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: haanzrq.gkg (rinyhngrq nf haanzrq.gkg) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/cynva; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: vayvar **** ABGR: Na nggnpuzrag jnf qryrgrq sebz guvf cneg bs gur zrffntr, orpnhfr vg snvyrq bar be zber purpxf ol gur ivehf fpnaavat flfgrz. Frr gur nggnpurq fnavgvmngvba ybt sbe zber qrgnvyf be pbagnpg lbhe flfgrz nqzvavfgengbe. Gur erzbirq nggnpuzrag'f anzr jnf: cbat.rkr (rinyhngrq nf cbat.rkr) Vg zvtug or n tbbq vqrn gb pbagnpg gur fraqre naq jnea gurz gung gurve flfgrz vf vasrpgrq. **** --aSerMUnYGMWb0E7w Pbagrag-Glcr: grkg/fnavgvmre-ybt; punefrg="vfb-8859-1" Pbagrag-Genafsre-Rapbqvat: 8ovg Pbagrag-Qvfcbfvgvba: nggnpuzrag; svyranzr="fnavgvmre.ybt" Guvf zrffntr unf orra 'fnavgvmrq'. Guvf zrnaf gung cbgragvnyyl qnatrebhf pbagrag unf orra erjevggra be erzbirq. Gur sbyybjvat ybt qrfpevorf juvpu npgvbaf jrer gnxra. Fnavgvmre (fgneg="0"): Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="328"): FnavgvmrSvyr (svyranzr="haanzrq.gkg", zvzrglcr="grkg/cynva"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq svyr anzr jvgu: QRSNATRQ-100.gkg Oner PE erzbirq sebz urnqre (er: uggc://jjj.bcrabssvpr.ay/fcrpvny_vagrerfg/bhgybbxoht.ugzy) Cneg (cbf="428"): FnavgvmrSvyr (svyranzr="cbat.rkr, svyrglcr.rkr", zvzrglcr="nccyvpngvba/k-zfqbf-cebtenz"): Zngpu (ehyr="qrsnhyg"): Rasbeprq cbyvpl: qebc Ercynprq zvzr glcr jvgu: grkg/cynva Ercynprq svyr anzr jvgu: QRSNATRQ-102.gkg Gbgny zbqvsvpngvbaf fb sne: 4 --aSerMUnYGMWb0E7w-- *** Rkvg pbqr jnf 0 *** sanitizer-1.76/testcases/results.def/simplify.multipart.ok0000644000175000017500000000527110046711775022221 0ustar agiagiFrom xxx@example.com Thu Aug 3 07:32:10 2000 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: moo To: fake@example.com Here comes a word with no spaces! HEADER + http://blah/te/st/ing/00.unnamed + http://blah/te/st/ing/02.aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt *** Exit code was 0 *** From xxx@example.com Thu Aug 3 07:32:10 2000 Content-Type: multipart/alternative; boundary="NotARandomBoundary" Content-Transfer-Encoding: 8bit Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: moo To: fake@example.com --NotARandomBoundary Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Type: text/plain; charset=iso-8859-1 This is a plain text message, old old style! Blah blah! --NotARandomBoundary-- *** Exit code was 0 *** From xxx@example.com Thu Aug 3 07:32:10 2000 Content-Type: multipart/alternative; boundary="NotARandomBoundary" Content-Transfer-Encoding: 8bit Return-Path: Received: from example.com (root@example.com [149.144.245.5]) by example.com (8.9.3/8.9.3) with ESMTP id HAA01305 for ; Thu, 3 Aug 2000 07:32:03 GMT From: xxx@example.com Date: Thu, 3 Aug 2000 06:39:59 GMT Message-Id: <200008030639.GAA23780@example.com> Sender: xxx@example.com Subject: moo To: fake@example.com --NotARandomBoundary Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Type: text/plain; charset=iso-8859-1 Here comes a word with no spaces! HEADER2 + http://blah/te/st/ing/02.aaaaaaaaa0aaaaaaaaa1aaaaaaaaa2aaaaaaaaa3aaaaaaaaa4aaaaaaaaa5aaaaaaaaa6aaaaaaaaa7aaaaaaaa.vbs.txt --NotARandomBoundary Content-Transfer-Encoding: 8bit Content-Disposition: inline Content-Type: text/html; charset=iso-8859-1

HEADER2

--NotARandomBoundary-- *** Exit code was 0 *** sanitizer-1.76/testcases/testall.sh0000755000175000017500000001032210274640332015545 0ustar agiagi#!/bin/sh # Set default variables. # FAILED=0 [ "$TEST_RESULTS" = "" ] && TEST_RESULTS=results.def ANOMY=.. PERL5LIB= export ANOMY PERL5LIB # Charset related issues. if (echo $LANG | grep -c -i utf >/dev/null); then echo echo "WARNING: Your default language setting is $LANG, which may enable" echo "UTF-8 (unicode) support in various programs, including Perl. This" echo "may cause the Anomy Sanitizer to malfunction." echo "Please read the file UNICODE.TXT for further information." echo sleep 5 fi LC_ALL=C LANG=en_US export LC_ALL LANG # Do we have/need the TNEF stuff? TNEF=0 [ -e ../bin/Anomy/TNEFStream.pm ] && TNEF=1 # Does "use bytes" work? if ! perl -Mbytes -e 1 2>/dev/null >/dev/null; then echo "WARNING: Your perl is old, creating dummy 'bytes' module..." echo "package bytes; sub unimport { 1; } 1;" > $ANOMY/bin/bytes.pm fi # Does "use warnings" work? if ! perl -Mwarnings -e 1 2>/dev/null >/dev/null; then echo "WARNING: Your perl is old, creating dummy 'warnings' module..." echo "package warnings; sub unimport { 1; } 1;" > $ANOMY/bin/warnings.pm fi # Check prerequisites. # echo -n "Checking prerequisites... " REQ="-MDigest::MD5 -MMIME::Base64 -MMIME::QuotedPrint -MIO::File -MIO::Socket::INET" [ $TNEF = 1 ] && REQ="$REQ -MMIME::Body" perl $REQ -e1 2>/dev/null if [ $? != 0 ] ; then echo failed. echo echo "One or more of the following Perl modules were missing from your" echo "system. You need to install them before you can use the Anomy" echo "Mail Sanitizer:" echo echo " IO::File" echo " IO::Socket::INET" [ $TNEF = 1 ] && \ echo " MIME::Body" echo " MIME::Base64" echo " MIME::QuotedPrint" echo " Digest::MD5" echo echo "Try 'perldoc CPAN' for information on how to obtain them. But" echo "beware - the CPAN module likes to upgrade your perl installation," echo "which may not be what you want. :-)" echo exit 1 else echo ok. fi # Load local configuration, if it exists. # if [ -f tests.conf ]; then . tests.conf echo "Using configuration from tests.conf - results go in $TEST_RESULTS." fi export TEST_RESULTS SAN_CONF # Minor sanity checks... # if [ ! -d "$TEST_RESULTS" ]; then echo "No such directory: $TEST_RESULTS" exit 1 fi if [ "$SAN_CONF" != "" -a ! -r "$SAN_CONF" ]; then echo "No such file: $SAN_CONF" exit 1 fi # Run tests! # WHICH=$1 echo "Running tests ..." echo for a in *.t; do if [ "$WHICH" = "" -o "$a" = "$WHICH" ]; then test=`echo $a |sed -e 's/\.t$//'` /bin/echo -n "$test: " sh $a if [ -e "$TEST_RESULTS/$test.ok.rot13" ]; then perl -npe 'tr/a-zA-Z/n-za-mN-ZA-M/' \ < "$TEST_RESULTS/$test.ok.rot13" > "$TEST_RESULTS/$test.ok" fi if [ ! -f "$TEST_RESULTS/$test.ok" ]; then cp test.out "$TEST_RESULTS/$test.ok" echo installed else if diff -u -b "$TEST_RESULTS/$test.ok" test.out >test.diff; then T="$TEST_RESULTS/$test" rm -f test.* $T.out $T.log $T.diff echo ok else for t in test.*; do mv -f $t "$TEST_RESULTS"/`echo $t |sed -e "s/^test/$test/"` done echo "failed (moved result files to $TEST_RESULTS)" let FAILED=$FAILED+1 fi fi [ -e "$TEST_RESULTS/$test.ok.rot13" ] && rm -f "$TEST_RESULTS/$test.ok" fi done rm -f test.* echo [ $FAILED = 0 ] && exit 0 # Beg for feedback... # cat <