Large file attachment filtering

Greg Borders gborders at jlewiscooper.com
Thu Nov 17 17:03:38 GMT 2005 

    [ The following text is in the "ISO-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Julian Field wrote:
>
> Greg Borders wrote:
>
>   
>> I'll investigate what the Quarantine can do as far as 
>> stripping/storing the mime attachments.  The bit about "pretty message 
>> wrapping" and "constructed URLs" is where I was expecting to have some 
>> bits of code/script creep in.  Not too sure yet where to grab bits of 
>> info to construct those...
>>     
>
> What I mean is for you to customise the report files sent to the user 
> (as in /etc/MailScanner/reports/en/). Various Perl variables can be used 
> in there (my examples use all the ones available) so you can construct a 
> report that includes a URL in the report. No code or script needed.

That's the "bits" I was looking for!  (Although one could argue using 
perl variables in a report is a form of coding *wink* )

Ok, after a day or two of tinkering I've got a system in place that does 
the basics.  I thought I'd share my efforts with the MailScanner 
community, to help make it easier for the next person to implement.

The MailScanner.conf file has a "Quarantine Permissions" variable that 
mentions setting it to 644 for allowing the web server to have access to 
the files.  (It caused me a lot of frustration until I found that setting.)

The MailScanner.conf also has the "Maximum Attachment Size" setting.  
This is typically set to -1 for unlimited size, or any number of bytes 
for a system wide restriction.  Of course being a SysAdmin, we don't 
want to limit ourselves, so I created a separate rule set for indivduals 
/ groups.  So the MailScanner.conf line looks like :
Maximum Attachment Size = %rules-dir%/max.attachment.size.rules

And the rules file contains:

#list of users and the max file bytes they can receive before they are 
quarantined.
#Fred 100meg for special courier file
FromOrTo:       fred at comany-x.com     104857600

#test user max size for testuser 1 meg!
FromOrTo:       testuser at company-x.com 1048576

#everybodyelse gets default (no scan=-1)
FromOrTo:       default -1

Note you can set various levels of file sizes depending on what you 
want.  I tested my settings with my testuser account, and it didn't 
affect the live users.  Later I can set the default to a comfortable limit.

Next, we need to change a couple of reports in
/etc/MailScanner/reports/en/

 From my tests, send.error.report.txt and stored.virus.message.txt were 
sent to the sender / recipient respectively when the "Attachment is too 
large" flag is tripped..  I included some lines in the 
stored.virus.message.txt that recreated the URL to the file. The 
available perl variables make this a cinch.

URL: for direct download:
http://www.company-x/pickup/$datenumber/$id/$filename

Lastly, Note the above url path doesn't have the full 
/var/spool/MailScanner/quarantine/ in it.  For Apache users. this is 
easy to do.  With an alias in the httpd.conf file, you can better 
protect the quarantine area from malicious types.

Alias /pickup/ "/var/spool/MailScanner/quarantine/"
<Directory "/var/spool/MailScanner/quarantine/">
    Options Indexes MultiViews
    AllowOverride None
    Order allow,deny
    Allow from all
</Directory>


Hope this helps anyone that needs to have automated access to their 
quarantine files!

Next phase I may attempt to do more along the lines of what you did 
Julian, and instead of linking directly to the file, I'd send them off 
to a PHP/perl page to do a request for file, and then have IT 
administrators approve the transfer to the users before sending them a 
working link to the data.




--
This transmission may contain information that is privileged, confidential
and/or exempt from disclosure under applicable law. If you are not the
intended recipient, you are hereby notified that any disclosure, copying,
distribution, or use of the information contained herein (including any
reliance thereon) is STRICTLY PROHIBITED. If you received this transmission
in error, please immediately contact the sender and destroy the material in
its entirety, whether in electronic or hard copy format. Thank you.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).

Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list