The Annoyance Filter.pdf - Fourmilab
The Annoyance Filter.pdf - Fourmilab
The Annoyance Filter.pdf - Fourmilab
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
218 DEVELOPMENT LOG ANNOYANCE-FILTER §256<br />
Added a −−pop3server option to specify the server and optionally, port (which defaults to 110 if not<br />
given) to which the POP3 proxy server will connect. This must be the last option (a warning is given<br />
if it isn’t), and causes the server to immediately begin operation. I removed the server test code from<br />
the −−jig and physically moved it to a subsection within the “POP3 proxy server” section, following<br />
the class definition.<br />
2002 October 31<br />
Disabled the −−jig, since there’s nothing in it at the moment.<br />
Added proper conditional setting of POP3_PROXY_SERVER based on the capabilities sensed by autoconf<br />
and fixed one compile problem if the proxy server is disabled. At the moment, we assume that if socket<br />
and signal are defined, everything else we’ll need will also be defined<br />
2002 November 1<br />
Cleaned up POP3 proxy code and added documentation of the related command line options. I still<br />
need to add a main document section on how to install and operate a proxy server.<br />
2002 November 2<br />
We weren’t activating the byte stream parser for spoofed mail worm attachments which trick Microsoft<br />
Outlook into executing an attachment through the incredibly subtle strategem of declaring the attachment<br />
as an innocuous file type such as audio or image, but with an extension which denotes an<br />
executable file. Brain-dead Outlook decides whether to block or confirm executable content based upon<br />
the former, but then actually executes the file based upon the latter. Can you say “duh”?<br />
Well, thanks to this particular piece of Redmond rot, tens of millions of these worms continue to<br />
pollute the net since, even though the hole has been plugged, millions of the bottom-feeders who use<br />
such software continue to use unpatched versions and/or run machines which are already infected and<br />
actively propagating the worm.<br />
All right, enough polemic. What this means for annoyance−filter is that when we see an attachment<br />
with a Content−Type which usually denotes something we’re not interested in parsing, but then discover<br />
its file name is one of the suspicious executable Microsoft file types, we need to feed it through the byte<br />
stream parser just as if it were tagged with an “application” file type. Doing so will extract the<br />
inevitable embedded strings, which will act as a signature for subsequent encounters with the same or<br />
similar worm. (SourceForge bug 631503, reported by Neil Darlow.)<br />
Improved diagnostics for parser errors by saving the “From␣ line and Message−ID (if any) from the<br />
header and then labeling any parser diagnostics written to standard error with the −−verbose option<br />
with them. <strong>The</strong> labels are written only before the first diagnostic for each message in a folder, and<br />
diagnostics are now indented to better diatinguish them from the labels.<br />
Diagnostics from MBCSdecoder objects were written to standard error without any identification<br />
of the message in which they occurred. I added the ability to link an MBCSdecoder to its parent<br />
mailFolder with the new setMailFolder method. If linked, diagnostics from the decoder are emitted via<br />
the reportDecoderDiagnostic method of the linked folder, permitting them to be labeled with the message<br />
identification as described in the previous paragraph. It’s still possible to use an MBCSdecoder<br />
without linking it to a mailFolder—if the link is Λ, diagnostics are sent to standard error as before.<br />
Improved diagnostics from the various MBCSdecoder classes. All reports of invalid two-byte sequences<br />
now report both hexadecimal bytes, and other invalid value diagnostics report the offending hexadecimal<br />
value.<br />
Added the ability to search for a literal substring as well as a regular expression in utilities/splitmail.pl.<br />
If the search target begins with “+” (which is invalid in a regular expression), the balance of the pattern<br />
is searched for with case-insensitive comparison. Since so many of the message headers you’re likely