Feature request: HTML Content Checks
Julian Field
MailScanner at ecs.soton.ac.uk
Tue Jan 18 16:29:55 GMT 2005
[ The following text is in the "ISO-8859-1" character set. ]
[ Your display is set for the "US-ASCII" character set. ]
[ Some characters may be displayed incorrectly. ]
All the log entries will be of the form
HTML-IFrame tag found in message %s from %s
so you will get the sender's address in every log entry.
Quentin Campbell wrote:
>Julian
>
>Thanks. That would do the job.
>
>In fact your suggested way is better because the logged line will also
>include the envelope-sender address.
>
>Note though that if people chose "Log HTML Tags = yes" and if they also
>chose to strip HTML on, say, the occurrence of an IFrame tag in a
>message then three lines will be logged:
>
>Jan 18 04:03:29 cheviot4 MailScanner[29462]: HTML IFrame tag found in
>message
>j0I43C12031986 from boston at changing_boston.net
>
>Jan 18 04:03:29 cheviot4 MailScanner[29462]: Content Checks: Detected
>HTML-specific exploits in j0I43C12031986
>
>Jan 18 04:03:29 cheviot4 MailScanner[29462]: Content Checks: Detected
>and will convert HTML message to plain text in j0I43C12031986
>
>I am happy to live with that if it simplifies the additional coding you
>have to do!
>
>Regards
>
>Quentin
>---
>PHONE: +44 191 222 8209 Information Systems and Services (ISS),
> University of Newcastle,
> Newcastle upon Tyne,
>FAX: +44 191 222 8765 United Kingdom, NE1 7RU.
>------------------------------------------------------------------------
>"Any opinion expressed above is mine. The University can get its own."
>
>
>
>>-----Original Message-----
>>From: MailScanner mailing list
>>[mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf Of Julian Field
>>Sent: 18 January 2005 15:25
>>To: MAILSCANNER at JISCMAIL.AC.UK
>>Subject: Re: Feature request: HTML Content Checks
>>
>>Is this okay?
>>
>>HTML-Object
>>HTML-Script
>>HTML-Form
>>HTML-IFrame
>>
>>with the same log line format as the current log iframe tags gives you.
>>I will remove the log iframe tags option and replace it with
>>log html tags.
>>
>>
>>Quentin Campbell wrote:
>>
>>
>>
>>>ulian
>>>
>>>Is it possible to add to the logged "Content Checks: Detected
>>>HTML-specific exploits in ..." messages the actual HTML exploit that
>>>caused the message?
>>>
>>>That is, I am asking for one of the strings "HTML-Iframe",
>>>"HTML-Codebase", "HTML Object", "HTML-Script" or "HTML-Form"
>>>
>>>
>>to be added
>>
>>
>>>as appropriate to the message.
>>>
>>>At present we only have info on IFrame exploits through the separate
>>>logging facility for that tag. I would like this additional
>>>
>>>
>>info for the
>>
>>
>>>same reason you provided the IFrame logging - to identify the
>>>envelope-From address that may need to be added to the rules file to
>>>exempt that address from the actions normally applied to that exploit.
>>>
>>>
--
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list