"Fossies" - the Fresh Open Source Software Archive 
"Fossies" - the Fresh Open Source Software Archive A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN"> 2 <HTML lang="en"> 3 <HEAD> 4 <TITLE>Enhancing E-Mail Security With Procmail - Home</TITLE> 5 <meta http-equiv="description" content="A mail filter to prevent email-based security attacks."> 6 <meta http-equiv="Keywords" content="procmail, sendmail, qmail, mail, email, block, strip, attachment, attachments, filter, buffer overflow, security, MIME, Netscape, Outlook, Outlook Express, Eudora, worm, virus, header, attachment, vbs, iloveyou, kak, hybris, defanged, melissa, magistr, sircam, klez, netsky, sober, wmf"> 7 </HEAD> 8 9 <BODY> 10 11 <H1 ALIGN=center>Enhancing E-Mail Security With Procmail</H1> 12 <H1 ALIGN=center>the E-mail Sanitizer</H1> 13 <H2 ALIGN=center>Home</H2> 14 15 <div align="right"> 16 Translation to Russian by 17 Evgeni <saaw <I>at</I> mail.ru></a> - 18 <a href="http://sanitizer.narod.ru/index.htm">Original document 19 on the author's website</a> 20 </span> 21 </div> 22 23 <HR> 24 25 <BR> 26 27 <table> 28 <tr> 29 <td valign="top"> 30 31 Welcome to the home page of the Procmail Email Sanitizer. 32 The Sanitizer is a tool for preventing 33 <A HREF="sanitizer-threats.html">attacks on your computer's security 34 via email messages</A>. It has proven to be very effective against the 35 Microsoft Outlook email worms that have gotten so much attention in the 36 popular press and that have caused so much trouble. 37 38 <P> 39 40 The Sanitizer's intended audience is administrators of mail systems. 41 It is not generally intended for end users, unless they administer 42 their own mail systems rather then simply telling their mail program 43 to retrieve messages from a mail server administered by someone else. 44 45 <P> 46 47 If you are here because you've gotten a message saying that a piece of mail 48 you sent has been rejected, or because the URL for this website appears in 49 a piece of mail you've received, or because you're wondering why your 50 email attachments are suddenly named <TT>DEFANGED</TT>, please read this 51 <A HREF="sanitizer-intro.html">introduction to the Sanitizer</A> - it 52 should answer your questions. Let me know if it doesn't. 53 54 <P> 55 56 Please note that the sanitizer is <I>NOT</I> a traditional virus scanner. It 57 does not rely on "signatures" to detect attacks and does not have the "window 58 of vulnerability" problems that signature-based security always has; rather it 59 lets you enforce policies like "email should not be scripted", and "macros in 60 Microsoft Office document attachments should not access the Windows 61 registry", and "email should not have Windows executable file attachments", 62 and quarantines messages that violate those policies. 63 64 </td> 65 <td> 66 <iframe marginwidth="0" marginheight="0" width="120" height="240" scrolling="no" frameborder="0" src="http://rcm.amazon.com/e/cm?o=1&l=as1&f=ifr&t=impsecorg-20&p=8&asins=B000BAV2FG&IS2=1&lt1=_blank"><MAP NAME="boxmap-p8"><AREA SHAPE="RECT" COORDS="14, 200, 103, 207" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" ><AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/impsecorg-20" ></map><img src="http://rcm-images.amazon.com/images/G/01/rcm/120x240.gif" width="120" height="240" border="0" usemap="#boxmap-p8" alt="Shop at Amazon.com"></iframe> 67 </td> 68 </tr> 69 </table> 70 71 <P> 72 <HR WIDTH="50%" ALIGN="CENTER"> 73 <P> 74 75 Site Index: 76 <UL> 77 <LI><A HREF="#news">Latest news</A></LI> 78 <LI><A HREF="sanitizer-intro.html">Introduction</A></LI> 79 <LI><A HREF="sanitizer-threats.html">Email-based threats to computer security</A></LI> 80 <LI><A HREF="sanitizer-download.html">Obtaining and installing the Sanitizer</A></LI> 81 <LI><A HREF="sanitizer-configuration.html">Configuring the Sanitizer</A></LI> 82 <LI><A HREF="procmail-on-gateway.txt">Installing the Sanitizer on 83 an inbound mail relay</A></LI> 84 <LI><A HREF="outgoing.tar.gz">Installing the Sanitizer on 85 an outbound mail relay (version I)</A></LI> 86 <LI><A HREF="sanitizer-changelog.html">the Sanitizer change log</A></LI> 87 <LI><A HREF="sanitizer-unmangle.html">Unmangling mangled attachments</A></LI> 88 <LI><A HREF="sanitizer-comments.html">User comments</A></LI> 89 <LI><A HREF="http://www.impsec.org/mailman/listinfo/esd-l">the Mailing List</A> 90 <LI><A HREF="http://www.impsec.org/pipermail/esd-l">the Mailing List archives</A> 91 <LI>Download <A HREF="html-trap.procmail.gz">the current Sanitizer</A> 92 ( version 93 1.151 94 )</LI> 95 <LI>Download <A HREF="procmail-sanitizer.tar.gz">the current Sanitizer tarball</A></LI> 96 <LI>Download <A HREF="html-trap.procmail.nomacroscan.gz">the current non-macro-scan Sanitizer</A></LI> 97 <LI>Download <A HREF="poisoned-files">the current recommended Poisoned Files list</A></LI> 98 <LI>Download <A HREF="poisoned-files-zip">the current recommended Poisoned Zipped Files list</A></LI> 99 <LI>Download <A HREF="local-rules.procmail">the current sample Local Rules script 100 (signature-based worm identification)</A></LI> 101 <LI>Browse <A HREF="development/">the development area</A></LI> 102 <LI>Download <A HREF="testzip.pl">Yves Agostini's zip scanning ruleset.</A> 103 Run it before pre-1.141 sanitizers to scan .ZIP attachments for executables.</LI> 104 <LI>Download <A HREF="SA-Sanitizer.patch">a patch for SpamAssassin 2.63</A> 105 that lets 106 <A HREF="http://www.spamassassin.org">SpamAssassin</A> 107 recognize and properly score defanged HTML - use if 108 you're running SpamAssassin <I>after</I> the sanitizer. 109 <LI>Download <A HREF="sb-filterevasion.patch.gz">a patch for SpamBouncer 1.9</A> 110 that lets 111 <A HREF="http://www.spambouncer.org">SpamBouncer</A> 112 recognize and properly score defanged HTML - use if 113 you're running SpamBouncer <I>after</I> the sanitizer. (Thanks to Joe Steele!) 114 </UL> 115 116 <P> 117 <HR WIDTH="50%" ALIGN="CENTER"> 118 <H3>Filtering Email for Security</H3> 119 120 <A HREF="http://www.procmail.org/"><STRONG>Procmail</STRONG></A> 121 is a program that processes email messages looking for particular information 122 in the headers or body of each message, and takes actions based on what it 123 finds. If you're familiar with the concept of "rules" as provided in many major 124 user mail clients (such as the cc:Mail client), then you are already familiar 125 with the concept of 126 <A HREF="http://www.best.com/~ii/internet/faqs/launchers/mail/filtering-faq/">automatically 127 processing email messages based on their content</A>. 128 129 <P> 130 131 This procmail ruleset is specifically designed to "sanitize" 132 your email on the mail server, before your users even attempt to 133 retrieve their messages. It is <i>not</i> intended for end users to 134 install on their Windows desktop systems for personal protection. 135 136 <P> 137 <HR WIDTH="50%" ALIGN="CENTER"> 138 <A NAME="news"></A><H4>News & Notes</H4> 139 140 <P> 141 <TABLE BORDER=0 CELLSPACING=1 CELLPADDING=0 WIDTH="100%"><TR> 142 <TD width="80%" valign="top"> 143 144 <A HREF="http://www.impsec.org/email-tools/html-trap.procmail.gz">The 145 current version of the <TT>html-trap.procmail</TT> ruleset</A> is: <B> 146 1.151 147 </B><BR> 148 It is recommended you update your copy if your version is older, as 149 bugfixes and filtering for newer exploits will have been added. See 150 <A HREF="sanitizer-changelog.html">the history of changes</A> for details. 151 152 <P> 153 The esa-l and esd-l mailing lists have been restored and are now hosted by impsec.org. 154 Thanks to Michael Ghens for his generous hosting of the lists for five years! 155 156 <P> 157 There is an 158 <a href="http://www.impsec.org/mailman/listinfo/esa-l">announcements mailing list</a> 159 for email security issues. It will primarily 160 carry information on new exploits and updates of the sanitizer. To subscribe, 161 send a message with the subject "subscribe" to 162 <A HREF="mailto:esa-l-request@impsec.org?subject=subscribe">esa-l-request@impsec.org</a>. 163 This is a strongly moderated list for announcements only, not general discussion. 164 <P> 165 If you want to join the 166 <a href="http://www.impsec.org/mailman/listinfo/esd-l">sanitizer discussion mailing list,</a> 167 send a message with the subject "subscribe" to 168 <A HREF="mailto:esd-l-request@impsec.org?subject=subscribe">esd-l-request@impsec.org</a>. 169 This is a members-only list; to post to it you <I>must</I> join. 170 There is also <A HREF="http://www.impsec.org/pipermail/esd-l">an 171 archive of messages</A> available. 172 173 </TD> 174 175 <TD width="0%"> 176 <table border="0" cellpadding="0" cellspacing="0"> 177 <TR><TD> 178 <h5 align="center">Click below to receive email when this page changes</h5> 179 </TD></TR> 180 181 <TR><TD align="center"> 182 <form action="http://www.ChangeDetection.com/detect.html" method="get" target=ChangeDetectionWiz> 183 <h5 align="center">...using 184 <a href="http://www.ChangeDetection.com/">ChangeDetection</a>:</h5> 185 <INPUT TYPE="TEXT" NAME="email" SIZE="24" value="Enter your email address"><br><br> 186 <small> 187 <input type="submit" name="enter" value=" OK " 188 Onclick="window.open('', 'ChangeDetectionWiz', 'resizable=yes,scrollbars=yes,width=624,height=460');return true"> 189 </small> 190 <a href="http://www.ChangeDetection.com/privacy.html" target=ChangeDetectionPrivacy 191 Onclick="window.open('http://www.ChangeDetection.com/privacy.html', 'ChangeDetectionPrivacy', 'resizable=yes,scrollbars=yes,width=624,height=400');return false"> 192 <h6>ChangeDetection privacy statement</h6></a> 193 </FORM> 194 </TD></TR> 195 196 </TABLE> 197 </TD> 198 199 </TR></TABLE> 200 201 <P> 202 203 1.142 fixes a minor bug in 1.141 that makes zipfile filename matching too greedy. 204 205 <P> 206 207 1.141 now permits scanning of ZIP archive contents. NOTICE: if you 208 do not explicitly specify a ZIPPED_EXECUTABLES policy file, the 209 sanitizer will default to your POISONED_EXECUTABLES policy file for 210 processing ZIP archive contents. This is probably more paranoid than 211 you wish to be. See the 212 <A HREF="sanitizer-configuration.html">Configuring the Sanitizer</A></LI> 213 page for more details. 214 <P> 215 216 <!-- BEGIN NovArg emergency alert --> 217 218 <HR width="50%"> 219 IMPORTANT NOTICE: 220 221 <BLOCKQUOTE> 222 If you have downloaded and are using the 1.139 sanitizer, here is a patch 223 to make it ignore the forged part of NovArg/MyDoom Received: headers and stop 224 notifying nonexistent sender addresses about the attack. Please apply this 225 patch to your sanitizer using the instructions below and help reduce the insane 226 amount of traffic this monster is generating... 227 <P> 228 [ 229 <A HREF="http://www.impsec.org/email-tools/smarter-reply.diff">HTTP Mirror 1 (US: WA)</A> 230 | 231 <A HREF="http://stonewall.lbhs.net/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 2 (US: FL)</A> 232 | 233 <A HREF="http://oftedal.no/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 3 (EU: NO)</A> 234 | 235 <A HREF="http://kanon.net/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 4 (EU: NL)</A> 236 | 237 <A HREF="http://grebopple.accessunited.com.au/email-tools/smarter-reply.diff">HTTP Mirror 5 (AU)</A> 238 | 239 <A HREF="http://impsec.fuzzitech.net/email-tools/smarter-reply.diff">HTTP Mirror 6 (AU)</A> 240 | 241 <A HREF="http://eucleides.com/sanitizer/smarter-reply.diff">HTTP Mirror 7 (US: WA)</A> 242 | 243 <A HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/smarter-reply.diff">FTP Mirror 1 (US: UT)</A> 244 ] 245 <P> 246 Installation instructions: 247 <P> 248 Copy the .diff file to the directory where your sanitizer lives and 249 run the following commands: 250 <BLOCKQUOTE><PRE><TT>cp html-trap.procmail html-trap.procmail.old 251 patch < smarter-reply.diff</TT><PRE></BLOCKQUOTE> 252 253 </BLOCKQUOTE> 254 <HR width="50%"> 255 256 <!-- END NovArg emergency alert --> 257 258 <P> 259 The 1.139 Sanitizer includes detection of Microsoft Office VBE buffer overflow 260 attacks. See <A HREF="http://www.securityfocus.com/archive/1/336027/2003-08-31/2003-09-06/0">the 261 EEye alert</A> for more details. 262 263 <P> 264 SoBig.F rules for direct attacks and bounces are in 265 <A HREF="local-rules.procmail">the sample local-rules file</A> 266 now. 267 268 <P> 269 Please see 270 <A HREF="local-rules.procmail">the sample local-rules file</A> for a rule 271 that should detect and quarantine messages designed to attack the 272 <A HREF="http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950">Sendmail 273 header parsing remote-root bug</A>. 274 <I>IMPORTANT:</I> This rule will <I>NOT</I> protect the machine it is 275 installed on. You must still update your sendmail. It may, however, protect 276 vulnerable machines behind the machine it is running on, giving you time 277 to update them. 278 279 <P> 280 If you are getting errors like 281 "<B><TT>sendmail: illegal option -- U</TT></B>" 282 see <A HREF="sanitizer-configuration.html#MTA_FLAGS_CMDLN">the 283 configuration page for how to fix it.</A> 284 285 <P> 286 If you are experiencing the "Dropped F" problem (where the 287 "F" in the leading "From" in the message is being 288 deleted), please note: this is a known problem in procmail. It may be fixed 289 in the current release, you may want to upgrade. The problem occurs when a 290 filter action returns an error. In that situation procmail may lose the 291 first byte of the message. MAKE SURE your log file has 622 permissions. 292 Also, <A HREF="development/checkfrom.procmail">here is a short rule that 293 will help clean it up</A>, add it to the end of your 294 <CODE>/etc/procmailrc</CODE> file. 295 296 <P> 297 (Planning for) <A HREF="development/sanitizer/">development of the 2.0 sanitizer</A> 298 has begun. The planned feature list looks something like this: 299 <UL> 300 <LI>Policy-file-based attachment handling ($MANGLE_EXTENSIONS goes 301 away)</LI> 302 <LI>Internationalization support via GNU gettext or something similar</LI> 303 <LI>Proper handling of encoded filenames</LI> 304 <LI>Folding the header-length and HTML-defanging code into the main 305 perl script, to minimize perl process initializations</LI> 306 <LI>The perl script will be separated out (no longer inline)</LI> 307 <LI>Moving from mimencode and mktemp to MIME::Base64 and 308 File::MkTemp</LI> 309 <LI>Logging into the message itself (adding a new MIME text 310 attachment listing what happened during the sanitization) with the 311 ability to add site-specific note files</LI> 312 <LI>Peering into MS-TNEF attachments. I hope to have full policy and 313 macro scanning support, but the policy will probably have to be 314 applied to the MS-TNEF attachment <I>in toto</I> (e.g. if one part of 315 it is to be stripped, the entire thing gets stripped).</LI> 316 <LI>Optional de-BASE64ing of text and HTML attachments, so that they 317 can be subject to spam filtering after the sanitizer.</LI> 318 </UL> 319 Beta announcements will be made to the mailing list. 320 321 <P> 322 323 I can be contacted at 324 <A HREF="mailto:jhardin@impsec.org"><jhardin@impsec.org></A> 325 - you could also 326 <A HREF="http://www.impsec.org/~jhardin/">visit my home page</A>. 327 328 <P> 329 <SMALL> 330 Several people have asked me why I don't charge for this 331 package. I suppose this is primarily due to the fact that I don't 332 think anybody should be exposed to these attacks simply because they 333 don't want to or can't afford to buy something to protect themselves, 334 but it also has to do with the fact that I view this as an interesting 335 intellectual challenge, a way to gain recognition, and a way to give 336 back to the community. 337 <BR> 338 However, if you feel like paying for receiving something of 339 value that has improved your life, then feel free to 340 <A HREF="http://www.impsec.org/~jhardin/wishlist.html">visit my personal wish 341 list</A> or 342 <A HREF="http://www.amazon.com/o/registry/3QMZ5V0VJGNAH">my Amazon wish 343 list</A>, or send me a donation via PayPal and lament that 344 nobody's done TequilaPal yet. 345 </SMALL> 346 347 <P> 348 <HR> 349 <IMG SRC="vi.fischer.handcrafted_using_vi.png" ALT="Created with vi" ALIGN=middle> 350 351 <!-- 352 <A HREF="http://www.cast.org/bobby"> 353 <IMG SRC="http://www.cast.org/bobby/images/approved.gif" ALT="Bobby approved" 354 ALIGN=middle WIDTH="131" HEIGHT="40"></A> 355 356 --> 357 <A HREF="http://www.anybrowser.org/campaign/">Best viewed with 358 <EM>Any</EM> Browser</a> 359 360 <P> 361 <H6>$Id: procmail-security.html,v 1.189 2006-01-20 07:40:08-08 jhardin Exp jhardin $ 362 <BR> 363 Contents Copyright (C) 2006 by John D. Hardin - All Rights Reserved. 364 <BR> 365 The primary Sanitizer home page is at 366 <CODE><A HREF="http://www.impsec.org/email-tools/procmail-security.html">http://www.impsec.org/email-tools/procmail-security.html</A></CODE> 367 </H6> 368 369 <A HREF="http://www.herdthinners.com/"><IMG SRC="http://www.herdthinners.com/gifs/2001/0905.gif"></A> 370 <A HREF="http://www.herdthinners.com/"><IMG SRC="http://www.herdthinners.com/gifs/2001/0906.gif"></A> 371 <BR> 372 ...my office is in my basement... 373 374 <P> 375 <SMALL><SMALL><SMALL>Helping <A HREF="http://www.xenu.net/">OC</A> out: gratuitous <A HREF="http://www.xenu.net/">scientology</A> link</SMALL></SMALL></SMALL> 376 <SMALL><SMALL><SMALL>More linktivism: 377 <A HREF="http://daringfireball.net/2003/12/enderle">Rob Enderle</A> 378 </SMALL></SMALL></SMALL> 379 380 </BODY> 381 </HTML>