Mailing List Archive

MailFollowURLs
Hello, All!
# If an email contains URLs ClamAV can download and scan them.
# WARNING: This option may open your system to a DoS attack.
# Never use it on loaded servers.
# Default: disabled
#MailFollowURLs

How to set up a maximum file size that are downloaded by this directive?


äÏ Ó×ÉÄÁÎÉÑ, ÕÓÐÅÈÏ×!
====================
óÅÒÇÅÊ ðÒÏËÏÐÅÎËÏ. ÷ ÍÏ£Í ÁÄÒÅÓÅ ×ÓÅ ÂÕË×Ù ÎÁÓÔÏÑÝÉÅ.



_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
On Tue, 2005-09-20 at 09:12, Sergey Prokopenko wrote:
> Hello, All!
> # If an email contains URLs ClamAV can download and scan them.
> # WARNING: This option may open your system to a DoS attack.
> # Never use it on loaded servers.
> # Default: disabled
> #MailFollowURLs
>
> How to set up a maximum file size that are downloaded by this directive?

The limit is fixed to 50K at the moment. It would be useful to be able
to use the StreamMaxLength directive from clamd.conf, but values
in that file are not made available to that layer of the software by the
higher levels.

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
Nigel Horne wrote:
> On Tue, 2005-09-20 at 09:12, Sergey Prokopenko wrote:
>
>>Hello, All!
>># If an email contains URLs ClamAV can download and scan them.
>># WARNING: This option may open your system to a DoS attack.
>># Never use it on loaded servers.
>># Default: disabled
>>#MailFollowURLs
>>
>>How to set up a maximum file size that are downloaded by this directive?
>
> The limit is fixed to 50K at the moment. It would be useful to be able
> to use the StreamMaxLength directive from clamd.conf, but values
> in that file are not made available to that layer of the software by the
> higher levels.

Is there any way to specify what URLs ClamAV will download
based on the extension? (IE, only download+scan zip|exe|pif
etc which are found in the url inside a mail)

Cami
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
On Tue, 2005-09-20 at 11:42, Cami wrote:
> Nigel Horne wrote:
> > On Tue, 2005-09-20 at 09:12, Sergey Prokopenko wrote:
> >
> >>Hello, All!
> >># If an email contains URLs ClamAV can download and scan them.
> >># WARNING: This option may open your system to a DoS attack.
> >># Never use it on loaded servers.
> >># Default: disabled
> >>#MailFollowURLs
> >>
> >>How to set up a maximum file size that are downloaded by this directive?
> >
> > The limit is fixed to 50K at the moment. It would be useful to be able
> > to use the StreamMaxLength directive from clamd.conf, but values
> > in that file are not made available to that layer of the software by the
> > higher levels.
>
> Is there any way to specify what URLs ClamAV will download
> based on the extension? (IE, only download+scan zip|exe|pif
> etc which are found in the url inside a mail)

No. And there are no plans for that, since the file would be endless.
We've seen infestations in just about all file types.

> Cami

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
Nigel Horne wrote:
> On Tue, 2005-09-20 at 11:42, Cami wrote:
>
>>Nigel Horne wrote:
>>
>>>The limit is fixed to 50K at the moment. It would be useful to be able
>>>to use the StreamMaxLength directive from clamd.conf, but values
>>>in that file are not made available to that layer of the software by the
>>>higher levels.
>>
>>Is there any way to specify what URLs ClamAV will download
>>based on the extension? (IE, only download+scan zip|exe|pif
>>etc which are found in the url inside a mail)
>
> No. And there are no plans for that, since the file would be endless.
> We've seen infestations in just about all file types.

Indeed, that makes sense. Is there perhaps another solution
to cater for the possibility of a DOS attack on the server?
I was wondering what the implications are of mails that
included a large number of external links with gif|jpg etc.
What about limiting the amount of URLs that will be followed
per mail or would this be a waste of time?

Cami
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
On Tue, 2005-09-20 at 11:53, Cami wrote:
> Nigel Horne wrote:
> > On Tue, 2005-09-20 at 11:42, Cami wrote:
> >
> >>Nigel Horne wrote:
> >>
> >>>The limit is fixed to 50K at the moment. It would be useful to be able
> >>>to use the StreamMaxLength directive from clamd.conf, but values
> >>>in that file are not made available to that layer of the software by the
> >>>higher levels.
> >>
> >>Is there any way to specify what URLs ClamAV will download
> >>based on the extension? (IE, only download+scan zip|exe|pif
> >>etc which are found in the url inside a mail)
> >
> > No. And there are no plans for that, since the file would be endless.
> > We've seen infestations in just about all file types.
>
> Indeed, that makes sense. Is there perhaps another solution
> to cater for the possibility of a DOS attack on the server?

What DOS attack?

> I was wondering what the implications are of mails that
> included a large number of external links with gif|jpg etc.
> What about limiting the amount of URLs that will be followed
> per mail or would this be a waste of time?

There is already a hard-coded limit of 5. It is hard-coded for the
same reason that the file size is limited (no access to configuration
data at that level).

> Cami

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
On Tue, Sep 20, 2005 at 12:53:22PM +0200, Cami wrote:
> >>Is there any way to specify what URLs ClamAV will download
> >>based on the extension? (IE, only download+scan zip|exe|pif
> >>etc which are found in the url inside a mail)
> >
> >No. And there are no plans for that, since the file would be endless.
> >We've seen infestations in just about all file types.
>
> Indeed, that makes sense. Is there perhaps another solution
> to cater for the possibility of a DOS attack on the server?

What about things like "click here to confirm your subscription to
TheSpamChannel@example.com", isn't MailFollowURLs a sure way to
"confirm" all your spam and other webbugs? Anybody have any experience
with that?

--
#!perl -wpl # mmfppfmpmmpp mmpffm <pmmppfmfpppppfmmmf@fpffmm4mmmpmfpmf.ppppmf>
$p=3-2*/[^\W\dmpf_]/i;s.[a-z]{$p}.vec($f=join('',$p-1?chr(sub{$_[0]*9+$_[1]*3+
$_[2]}->(map{/p|f/i+/f/i}split//,$&)+97):qw(m p f)[map{((ord$&)%32-1)/$_%3}(9,
3,1)]),5,1)='`'lt$&;$f.eig; # Jan-Pieter Cornet
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
Hello, Nigel!
You wrote on 20 Sep 2005 11:57:02 +0100:

NH> There is already a hard-coded limit of 5. It is hard-coded for
NH> the same reason that the file size is limited (no access to
NH> configuration data at that level).

ToDo
Mark the subj [warning: a big files in URLs] such messages with unscanabele
URLs (overlimited by max urls|maxsize )... ;-)



WBR



_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
Nigel Horne wrote:
> On Tue, 2005-09-20 at 11:53, Cami wrote:
>
>> I was wondering what the implications are of mails that
>> included a large number of external links with gif|jpg etc.
>> What about limiting the amount of URLs that will be followed
>> per mail or would this be a waste of time?
>
> There is already a hard-coded limit of 5. It is hard-coded for the
> same reason that the file size is limited (no access to configuration
> data at that level).

I must of missed all that in the docs. :P
What happens if a mail has the following URLs (all in 1 mail):

http://www.mweb.co.za
http://www.mweb.co.za/
http://www.mweb.co.za/index.html
http://www.mweb.co.za/index.jpg
http://www.mweb.co.za/love.gif
http://www.mweb.co.za/love.zip

Will all of those get scanned except love.zip?

Cami
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
On Tue, 2005-09-20 at 12:20, Cami wrote:
> Nigel Horne wrote:
> > On Tue, 2005-09-20 at 11:53, Cami wrote:
> >
> >> I was wondering what the implications are of mails that
> >> included a large number of external links with gif|jpg etc.
> >> What about limiting the amount of URLs that will be followed
> >> per mail or would this be a waste of time?
> >
> > There is already a hard-coded limit of 5. It is hard-coded for the
> > same reason that the file size is limited (no access to configuration
> > data at that level).
>
> I must of missed all that in the docs. :P
> What happens if a mail has the following URLs (all in 1 mail):
>
> http://www.mweb.co.za
> http://www.mweb.co.za/
> http://www.mweb.co.za/index.html
> http://www.mweb.co.za/index.jpg
> http://www.mweb.co.za/love.gif
> http://www.mweb.co.za/love.zip
>
> Will all of those get scanned except love.zip?

Yes, even though the first 3 probably return the same content.

>
> Cami

-Nigel

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: Re: MailFollowURLs [ In reply to ]
On Tue, 2005-09-20 at 12:17, Sergey Prokopenko wrote:
> Hello, Nigel!
> You wrote on 20 Sep 2005 11:57:02 +0100:
>
> NH> There is already a hard-coded limit of 5. It is hard-coded for
> NH> the same reason that the file size is limited (no access to
> NH> configuration data at that level).
>
> ToDo
> Mark the subj [warning: a big files in URLs] such messages with unscanabele
> URLs (overlimited by max urls|maxsize )... ;-)

clamav-milter already adds a header when StreamMaxLength is added.

Since the FOLLOWURLS is hard coded at another module, it isn't possible
for clamav-milter to know about that and add a header. I completely
that it would be useful if it did and will add it to the TODO list.


> WBR

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html
Re: MailFollowURLs [ In reply to ]
Hello, Nigel!
You wrote on 20 Sep 2005 12:28:12 +0100:

>> Mark the subj [warning: a big files in URLs] such messages with
>> unscanabele
>> URLs (overlimited by max urls|maxsize )... ;-)

NH> clamav-milter already adds a header when StreamMaxLength is
NH> added.

NH> Since the FOLLOWURLS is hard coded at another module, it isn't
NH> possible for clamav-milter to know about that and add a header.
NH> I completely that it would be useful if it did and will add it
NH> to the TODO list.

Sorry, it would be useful by rules in Outlook Express, but OE don`t support
a rule based on a header strings, but subj substring - very well... User
like alternative - subj|header by own choice... but not like pay $. ;-)

Sorry for my english... WBR



_______________________________________________
http://lurker.clamav.net/list/clamav-users.html