sb/functions/mimeparser.rc

# MIMEPARSER.RC
# Process messages that have MIME-Version: 1.0 in the header

# Define a temporary directory where we will save files
# during the MIME autopsy.
MESSAGETMPDIR="${SBTEMP}/${LOGNAME}.message.${LOCALRANDOM}"

# You will have to consider /tmp race conditions or disk space
# if you point SBTEMP at directory other than /tmp
:0
* $ ? ${TEST} -d ${SBTEMP}
{
 OLDUMASK=${UMASK}
 # Make sure the ${MESSAGETMPDIR} directory is private for the user in question.
 UMASK=007
 :0
 * $ ? ${MKDIR} ${MESSAGETMPDIR}
 {
  SBLOG="L5-Creating temp directory: \"${MESSAGETMPDIR}\""
  INCLUDERC=${SBDIR}/functions/loglevel.rc
 }
 :0 E
 {
  SBLOG="L1-Error: Failed to create temp directory:\"${MESSAGETMPDIR}\""
  INCLUDERC=${SBDIR}/functions/loglevel.rc
  MESSAGETMPDIR=''
 }
 UMASK=${OLDUMASK}
}

# If we don't have a /tmp directory and a MIME header, then bail.
# Otherwise proceed with the mime autopsy.
MIME=no
MIMEVERSION=`${FORMAIL} -cX "MIME-Version:" |${SED} -e 's/[ 	]\{1,\}/ /g;s/ $//'`
:0
* ! MESSAGETMPDIR ?? ^^^^
* MIMEVERSION ?? ^MIME-Version: 1\.0$
{
 MIME=yes
 SBLOG="L5-Begin MIME Message Body Autopsy"
 INCLUDERC=${SBDIR}/functions/loglevel.rc

 # Save a copy of existing spambouncer headers for later restoration.
 :0hc:
 |${SED} -ne '/^X-S\(pamBouncer\|B\(Rule\|Stop\|Pass\|Note\|Class\|Score\|Pattern\)\):.\{1,\}$/p' >>${MESSAGETMPDIR}/sbheaders-saved-before-autopsy.eml

 # Strip any existing spambouncer headers.
 :0hf
 |${SED} -e '/^X-S\(pamBouncer\|B\(Rule\|Stop\|Pass\|Note\|Class\|Score\|Pattern\)\):.\{1,\}$/d'

 # Save a copy of the entire original message before we start the autopsy.
 # The message will be restored from this file later after
 # the mime message body autopsy is complete.
 :0c:
 ${MESSAGETMPDIR}/message-original.eml

 # Unfold all the headers, replace multiple tabs and spaces with single spaces
 # Strip all trailing spaces, and restore the newline at end of headers.
 # Doing this makes header parsing less complicated when using regular expressions.
 # We'll restore the headers later to their original condition from the saved file.
 :0 hf
 |${FORMAIL} -cX "" |${SED} -e 's/[ 	]\{1,\}/ /g;s/ $//;$s/$/\n/'

 # Begin the mime Message body autopsy
 :0
 * MIME ?? ^yes$
 {
  MIMELEVEL=0

  # level is the internal representation of mime part recursion
  LOCALLEVEL=${MIMELEVEL}
  :0
  * LOCALLEVEL ?? ^0$
  { LOCALCONTENT=`${FORMAIL} -cX "Content-Type:"` }
  :0 E
  { LOCALCONTENT=`${CAT} ${MESSAGETMPDIR}/MIME_${LOCALLEVEL} |${FORMAIL} -cX "Content-Type:"` }

  SBLOG="L7-LOCALCONTENT=${LOCALCONTENT}"
  INCLUDERC=${SBDIR}/functions/loglevel.rc

  LOCALBOUNDARY=''
  # Some mime messages quote the boundary
  # Note: Per RFC 2046 para 5.1 MIME 1.0 boundary tags must be 7bit US ASCII
  # If they contain 8bit characters, they are not following RFC 2046
  :0
  * LOCALCONTENT ?? ^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]-[Tt][Yy][Pp][Ee]: [Mm][Uu][Ll][Tt][Ii][Pp][Aa][Rr][Tt]/.+;( )?[Bb][Oo][Uu][Nn][Dd][Aa][Rr][Yy]=".+"(;.*)?$
  * LOCALCONTENT ?? ^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]-[Tt][Yy][Pp][Ee]: [Mm][Uu][Ll][Tt][Ii][Pp][Aa][Rr][Tt]/.+;( )?[Bb][Oo][Uu][Nn][Dd][Aa][Rr][Yy]="[^"]+"(;.*)?$
  * LOCALCONTENT ?? ^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]-[Tt][Yy][Pp][Ee]: [Mm][Uu][Ll][Tt][Ii][Pp][Aa][Rr][Tt]/.+;( )?[Bb][Oo][Uu][Nn][Dd][Aa][Rr][Yy]="\/[^"]+
  { LOCALBOUNDARY=$MATCH }

  # Some mime messages don't quote the boundary
  # Note: Unquoted boundary tags can not contain ; or :
  :0 E
  * LOCALCONTENT ?? ^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]-[Tt][Yy][Pp][Ee]: [Mm][Uu][Ll][Tt][Ii][Pp][Aa][Rr][Tt]/.+;( )?[Bb][Oo][Uu][Nn][Dd][Aa][Rr][Yy]=[^"]+(;.*)?$
  * LOCALCONTENT ?? ^[Cc][Oo][Nn][Tt][Ee][Nn][Tt]-[Tt][Yy][Pp][Ee]: [Mm][Uu][Ll][Tt][Ii][Pp][Aa][Rr][Tt]/.+;( )?[Bb][Oo][Uu][Nn][Dd][Aa][Rr][Yy]=\/[^";:]+
  { LOCALBOUNDARY=$MATCH }

  # No boundary tag was found for the MIME message body parts
  # so treat the body itself as a MIME part.
  :0
  * LOCALBOUNDARY ?? ^^^^
  { LOCALBOUNDARY='NONE' }

  :0
  * LOCALBOUNDARY ?? ^NONE$
  {
   SBLOG="L7-LOCALBOUNDARY=${LOCALBOUNDARY} using \"SpamBouncer_Autopsy_Mime_Boundary\""
   INCLUDERC=${SBDIR}/functions/loglevel.rc
  }
  :0 E
  {
   SBLOG="L7-LOCALBOUNDARY=${LOCALBOUNDARY}"
   INCLUDERC=${SBDIR}/functions/loglevel.rc
  }
  # Save the message body into it's own file for recursive autopsy
  :0 bc:
  * ! LOCALBOUNDARY ?? ^NONE$
  ${MESSAGETMPDIR}/MIME_1

  # The message body was not encapsulated in a mime Boundary, so we'll create one
  # on the fly for the autopsy
  :0 E
  {
   LOCALBOUNDARY='SpamBouncer_Autopsy_Mime_Boundary'
   LOG=`(${ECHO} "";${ECHO} "--SpamBouncer_Autopsy_Mime_Boundary") >${MESSAGETMPDIR}/MIME_1`
   LOG=`(${FORMAIL} -cX "Content-";${ECHO} "") >>${MESSAGETMPDIR}/MIME_1`

   :0 bc:
   ${MESSAGETMPDIR}/MIME_1

   LOG=`(${ECHO} "";${ECHO} "--SpamBouncer_Autopsy_Mime_Boundary--";${ECHO} "") >>${MESSAGETMPDIR}/MIME_1`
  }

  # Named sed script that makes things more readable. Might take it out
  # or move it to sb-config-defaults.rc
  SPACES_TABS_TO_SPACES='s/[ 	]\{1,\}/ /g;s/ $//'

  # Set the initial recursion states: Don't change these.
  PART=1
  OUTLINE=1
  RECURSLEVEL=1

  # This limit can be increased if you want. It's there to cause the recursion to limit itself so
  # it doesn't get stuck in an infiniate loop in case something breaks.
  # Note: Each recursion will fork a new process causing the parent process(s) to wait
  # until all the child process(s) are finished.
  # You'll not likely ever see any mime message with more than 10 nested mime parts.
  RECURSELIMIT=3

  SBLOG="L7-Entering file: ${SBDIR}/functions/mimeparts.sh"
  INCLUDERC=${SBDIR}/functions/loglevel.rc

  # Don't change this unless you know what you are doing or things will likely break.
  # This calls a custom /bin/sh script that recursively calls itself to find all the mime parts.
  # The command line arguments to mimeparts.sh become local variables in each recursion instance.
  SBPID="$$"
  LOG=`export SED ECHO NL DECODEBASE64 SBLOGLEVEL GREP EGREP SBDIR SPACES_TABS_TO_SPACES MESSAGETMPDIR WC SBPID DATE HOST LOGFILE SBLOGFILE SBHEADERS HASHCOMMAND;\
       ${SBDIR}/functions/mimeparts.sh "MIME_${OUTLINE}" "${OUTLINE}" "${PART}" "${RECURSLEVEL}" "${RECURSELIMIT}" "${LOCALBOUNDARY}"
  `
  # procmail strippes the last newline from the above script, so add it back.
  :0
  * SBLOGLEVEL ?? ^[789]$
  { LOG="${NL}" }
  SBLOG="L7-Leaving file: ${SBDIR}/functions/mimeparts.sh"
  INCLUDERC=${SBDIR}/functions/loglevel.rc
 }

 # We should have a new file ${MESSAGETMPDIR}/plain_body_files_to_parse.txt
 # which contains a list of mime body part filenames that were determined
 # to contain parsable text/html content and if they were base64 encoded
 # were decoded on the fly.

 # So we are now going to replace the message body
 # with the contents of these files, send it through the body
 # pattern matching filters, then restore the original message
 # from the save. Note: This might break if you run out of disk space!
 # so disk cleanup is going to have to be done.

 :0
 * $ ? ${TEST} -f ${MESSAGETMPDIR}/plain_body_files_to_parse.txt
 {
  FILELIST=`${CAT} ${MESSAGETMPDIR}/plain_body_files_to_parse.txt`
  # Note: this filter uses for, do and done which are /bin/sh or /bin/bash
  # builtin commands. You won't find them on the filesystem.
  #
  # This filter rebuilds the message body in X-SpamBouncer-Autopsy: format
  # by temporarily replacing the original message body in the pipeline.
  #
  # The last part of this filter squeezes the parts by
  # converting LFCR to LF, replaces multiple tabs and
  # spaces with single spaces, squeezes multiple blank lines one
  # blank line and removes any leading or trailing spaces from each line.
  # Then checks for mailbox message delimeters and escapes them.
  #
  # This is to simplify message body pattern matching on the autopsy copy.
  # This could also be used to remove any non-printable characters and/or replace
  # them with quoted printable characters.
  :0bf
  |${SED} '1,$d' |\
   ${ECHO} "X-SpamBouncer-Autopsy: Begin:";\
  (for i in ${FILELIST};\
   do (\
        ${ECHO};\
        ${ECHO} "X-SpamBouncer-Autopsy: File: \"${i}\"";\
	${ECHO};\
        ${CAT} $i\
      ) done;\
   ${ECHO};\
   ${ECHO} "X-SpamBouncer-Autopsy: End") |\
   ${TR} "\012\015" "\012" |\
   ${SED} -e 's/[ 	]\{1,\}/ /g;s/^ $//' |\
   ${CAT} -s |\
   ${SED} -e 's/^ //;s/ $//' |\
   ${SED} -e 's/^From /\\&/;s/^\.$/\\&/'

  # This is for debugging and may be going away or surpressed if
  # the log level isn't high enough. It's a copy of what is in the
  # pipeline that will be used next for the message body domain and
  # IP extraction recipes and the pattern matching recipes.
  SBLOG="L5-Saving: \"${MESSAGETMPDIR}/message_autopsy.eml\""
  INCLUDERC=${SBDIR}/functions/loglevel.rc
  :0c:
  ${MESSAGETMPDIR}/message_autopsy.eml

  # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
  # Do spambouncer body parsing stuff here on the edited message body.
  # When all pattern matching and extraction is done, restore the
  # original message body.
  # !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  # The following will also call sb6.rc for the body pattern matching recipes.
  INCLUDERC=${SBDIR}/functions/extract-body-info.rc

  # Split out and save any SpamBouncer headers resulting from the pattern matching
  # so we can append the new headers to the message in the main pipe.
  :0
  * H ?? ^X-S(pamBouncer|B(Rule|Stop|Pass|Note|Class|Score|Pattern)):.+$
  { LOG=`${FORMAIL} -cX "" |${SED} -e '/^X-S\(pamBouncer\|B\(Rule\|Stop\|Pass\|Note\|Class\|Score\|Pattern\)\):.\{1,\}$/!d' >${MESSAGETMPDIR}/sbheaders-saved-after-autopsy` }
 }

 # else Nothing was found during the MIME message body autopsy that was worth parsing.
 :0 E
 { MIME=no }

 SBLOG="L7-Restoring original message to pipeline from ${MESSAGETMPDIR}/message-original.eml"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
 # Restore the message from the file saved copy of the original.
 :0 hbf
 |${SED} -e '1,$d';(${CAT} ${MESSAGETMPDIR}/message-original.eml)

 # Restore the SpamBouncer headers from the file saved copy from before the autopsy.
 :0
 * $ ? ${TEST} -f ${MESSAGETMPDIR}/sbheaders-saved-before-autopsy.eml
 {
  SBLOG="L7-Restoring saved spambouncer headers from ${MESSAGETMPDIR}/sbheaders-saved-before-autopsy.eml"
  INCLUDERC=${SBDIR}/functions/loglevel.rc
  :0 hf
  |${FORMAIL} -X "";(${CAT} "${MESSAGETMPDIR}/sbheaders-saved-before-autopsy.eml";${ECHO})
 }

 # Append any new headers added during autopsy
 :0
 * $ ? ${TEST} -f ${MESSAGETMPDIR}/sbheaders-created-during-autopsy
 {
  SBLOG="L7-Adding spambouncer headers from ${MESSAGETMPDIR}/sbheaders-created-during-autopsy"
  INCLUDERC=${SBDIR}/functions/loglevel.rc
  :0 hf
  |${FORMAIL} -X "";(${CAT} "${MESSAGETMPDIR}/sbheaders-created-during-autopsy";${ECHO})
 }

 # Append any new headers resulting from the pattern matching filters.
 :0
 * $ ? ${TEST} -f ${MESSAGETMPDIR}/sbheaders-saved-after-autopsy
 {
  SBLOG="L7-Adding spambouncer headers from ${MESSAGETMPDIR}/sbheaders-saved-after-autopsy"
  INCLUDERC=${SBDIR}/functions/loglevel.rc
  :0 hf
  |${FORMAIL} -X "";(${CAT} "${MESSAGETMPDIR}/sbheaders-saved-after-autopsy";${ECHO})
 }
}

# Fallback to old method.
# We either don't have a valid /tmp directory.
# Or it's not a MIME 1.0 message.
:0
* 1^0 MESSAGETMPDIR ?? ^^^^
* 1^0 MIME ?? ^no$
{
 SBLOG="L3-Using fallback method for body pattern matching.${NL}"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
 #The following will also call sb6.rc
 INCLUDERC=${SBDIR}/functions/extract-body-info.rc
}

# Cleanup, allow the user to set
# KEEPAUTOPSIES from 5 - 999 otherwise set it to 20
# remove anything else.
:0
* KEEPAUTOPSIES ?? ^^^^
{ KEEPAUTOPSIES=20 }

:0
* ! KEEPAUTOPSIES ?? ^([5-9]|[1-9][0-9]|[1-9][0-9][0-9])$
{ KEEPAUTOPSIES=20 }

# This collects the autopsy directory file names from SBTEMP,
# removes the newest 20 from the list by default, then limits it
# to delete the 50 oldest directories at a time from what remains in the
# list so we don't overload the variable in situations where there
# are hundreds of of directories if the user had it set to 999,
# then lowered it, and LINEBUF isn't set that high.
#
# Note: the last sed command implements the equivelent of
# "tail -n 50" using a sed script in place of tail.
# not all systems SpamBouncer runs on may have the "tail" command
# so doing it this way is more portable for legacy systems runing older
# versions of Unix. This is documented in the sed info pages under
# examles:
CLEANUPDIRECTORIES=`${CD} ${SBTEMP} && ${LS} -td ${LOGNAME}.message.*.* 2>/dev/null |\
	${SED} -e "1,${KEEPAUTOPSIES}d" |\
	${SED} -e '1h;2,50 {; H; g; };$q;1,49d;N;D'
	`

# LOG="[$$]`basename $_`:CLEANUPDIRECTORIES=\"${CLEANUPDIRECTORIES}\"${NL}"

# Sanity checks
# Since we are doing a recursive rm, double check to make
# sure we are in an acceptable directory for this.
# Both MESSAGETMPDIR and CLEANUPDIRECTORIES includes the user's LOGNAME
# and CLEANUPDIRECTORIES is not empty and contains the word message
# nor is it set to "/" "." or ".." or contain any obvious
# wild cards in the pattern.
:0
* SBTEMP ?? ^(.*/te?mp/?)
* $ ? ${TEST} -d ${SBTEMP}
* $ MESSAGETMPDIR ?? ^.*${LOGNAME}.*$
* CLEANUPDIRECTORIES ?? ^.*message.*$
* ! CLEANUPDIRECTORIES ?? ^^^^
* ! CLEANUPDIRECTORIES ?? ^(/|\.|\.\.|.*([/]|\*).*)$
{
 SBLOG="L5-Removing stale autopsy directories in ${SBTEMP}"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
 :0 ic
 |${SED} -e '1,$d';(${CD} ${SBTEMP} && ${RM} -r dummy `${ECHO} "${CLEANUPDIRECTORIES}"` 2>/dev/null ) >>/dev/null
}
:0 E
* ! CLEANUPDIRECTORIES ?? ^^^^
{
 SBLOG="L1-Error: mimeparser.rc: Failed to remove remporary autopsy directorie(s) from ${SBTEMP}"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
}

# This will likely be removed eventually. It's for debugging and only
# triggers if the SBLOGLEVEL is high enough.
# Save another copy of the message after the restorations are complete.
# This is to verify the above operations performed as intended.
:0
* SBLOGLEVEL ?? ^[789]$
* MIME ?? ^yes$
{
 SBLOG="L7-Debug[${SBLOGLEVEL}]: Saving ${MESSAGETMPDIR}/message_debug.eml"
 INCLUDERC=${SBDIR}/functions/loglevel.rc
 :0c:
 ${MESSAGETMPDIR}/message_debug.eml
}