lenses/tests/test_mailscanner_rules.aug

   1 module Test_Mailscanner_Rules =
   2 let conf = "# JKF 10/08/2007 Adobe Acrobat nastiness
   3 rename  \.fdf$                  Dangerous Adobe Acrobat data-file                                               Opening this file can cause auto-loading of any file from the internet
   4
   5 # JKF 04/01/2005 More Microsoft security vulnerabilities
   6 deny    \.ico$                  Windows icon file security vulnerability                                        Possible buffer overflow in Windows
   7 allow   \.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$        -       -
   8 deny+delete     \.cur$                  Windows cursor file security vulnerability                                      Possible buffer overflow in Windows
   9 andrew@baruwa.com,andrew@baruwa.net     \.reg$          Possible Windows registry attack                                                Windows registry entries are very dangerous in email
  10 andrew@baruwa.com andrew@baruwa.net     \.chm$          Possible compiled Help file-based virus                                         Compiled help files are very dangerous in email
  11 rename to .ppt  \.pps$          Renamed .pps to .ppt                                                    Renamed .pps to .ppt
  12 "
  13
  14 test Mailscanner_Rules.lns get conf =
  15     { "#comment" = "JKF 10/08/2007 Adobe Acrobat nastiness" }
  16     { "1"
  17         { "action" = "rename" }
  18         { "regex" = "\.fdf$" }
  19         { "log-text" = "Dangerous Adobe Acrobat data-file" }
  20         { "user-report" = "Opening this file can cause auto-loading of any file from the internet" }
  21     }
  22     {}
  23     { "#comment" = "JKF 04/01/2005 More Microsoft security vulnerabilities" }
  24     { "2"
  25         { "action" = "deny" }
  26         { "regex" = "\.ico$" }
  27         { "log-text" = "Windows icon file security vulnerability" }
  28         { "user-report" = "Possible buffer overflow in Windows" }
  29     }
  30     { "3"
  31         { "action" = "allow" }
  32         { "regex" = "\.(jan|feb|mar|apr|may|jun|june|jul|july|aug|sep|sept|oct|nov|dec)\.[a-z0-9]{3}$" }
  33         { "log-text" = "-" }
  34         { "user-report" = "-" }
  35     }
  36     { "4"
  37         { "action" = "deny+delete" }
  38         { "regex" = "\.cur$" }
  39         { "log-text" = "Windows cursor file security vulnerability" }
  40         { "user-report" = "Possible buffer overflow in Windows" }
  41     }
  42     { "5"
  43         { "action" = "andrew@baruwa.com,andrew@baruwa.net" }
  44         { "regex" = "\.reg$" }
  45         { "log-text" = "Possible Windows registry attack" }
  46         { "user-report" = "Windows registry entries are very dangerous in email" }
  47     }
  48     { "6"
  49         { "action" = "andrew@baruwa.com andrew@baruwa.net" }
  50         { "regex" = "\.chm$" }
  51         { "log-text" = "Possible compiled Help file-based virus" }
  52         { "user-report" = "Compiled help files are very dangerous in email" }
  53     }
  54     { "7"
  55         { "action" = "rename to .ppt" }
  56         { "regex" = "\.pps$" }
  57         { "log-text" = "Renamed .pps to .ppt" }
  58         { "user-report" = "Renamed .pps to .ppt" }
  59     }