"Fossies" - the Fresh Open Source Software Archive

Member "procmail-security.html" (20 Jan 2006, 16223 Bytes) of package /linux/privat/old/procmail-sanitizer.tar.gz:

The requested HTML page contains a <FORM> tag that is unusable on "Fossies" in "automatic" (rendered) mode so that page is shown as HTML source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

A hint: This file contains one or more very long lines, so maybe it is better readable using the pure text view mode that shows the contents as wrapped lines within the browser window.

    2 <HTML lang="en">
    3 <HEAD>
    4  <TITLE>Enhancing E-Mail Security With Procmail - Home</TITLE>
    5  <meta http-equiv="description" content="A mail filter to prevent email-based security attacks.">
    6  <meta http-equiv="Keywords" content="procmail, sendmail, qmail, mail, email, block, strip, attachment, attachments, filter, buffer overflow, security, MIME, Netscape, Outlook, Outlook Express, Eudora, worm, virus, header, attachment, vbs, iloveyou, kak, hybris, defanged, melissa, magistr, sircam, klez, netsky, sober, wmf">
    7 </HEAD>
    9 <BODY>
   11 <H1 ALIGN=center>Enhancing E-Mail Security With Procmail</H1>
   12 <H1 ALIGN=center>the E-mail Sanitizer</H1>
   13 <H2 ALIGN=center>Home</H2>
   15 <div align="right">
   16 Translation to Russian by
   17 Evgeni &lt;saaw <I>at</I> mail.ru&gt;</a> -
   18 <a href="http://sanitizer.narod.ru/index.htm">Original document
   19 on the author's website</a>
   20 </span>
   21 </div>
   23 <HR>
   25 <BR>
   27 <table>
   28 <tr>
   29 <td valign="top">
   31 Welcome to the home page of the Procmail Email Sanitizer.
   32 The Sanitizer is a tool for preventing
   33 <A HREF="sanitizer-threats.html">attacks on your computer's security
   34 via email messages</A>. It has proven to be very effective against the
   35 Microsoft Outlook email worms that have gotten so much attention in the
   36 popular press and that have caused so much trouble.
   38 <P>
   40 The Sanitizer's intended audience is administrators of mail systems.
   41 It is not generally intended for end users, unless they administer
   42 their own mail systems rather then simply telling their mail program
   43 to retrieve messages from a mail server administered by someone else.
   45 <P>
   47 If you are here because you've gotten a message saying that a piece of mail
   48 you sent has been rejected, or because the URL for this website appears in
   49 a piece of mail you've received, or because you're wondering why your
   50 email attachments are suddenly named <TT>DEFANGED</TT>, please read this
   51 <A HREF="sanitizer-intro.html">introduction to the Sanitizer</A> - it
   52 should answer your questions. Let me know if it doesn't.
   54 <P>
   56 Please note that the sanitizer is <I>NOT</I> a traditional virus scanner. It
   57 does not rely on "signatures" to detect attacks and does not have the "window
   58 of vulnerability" problems that signature-based security always has; rather it
   59 lets you enforce policies like "email should not be scripted", and "macros in
   60 Microsoft Office document attachments should not access the Windows
   61 registry", and "email should not have Windows executable file attachments",
   62 and quarantines messages that violate those policies.
   64 </td>
   65 <td>
   66 <iframe marginwidth="0" marginheight="0" width="120" height="240" scrolling="no" frameborder="0" src="http://rcm.amazon.com/e/cm?o=1&l=as1&f=ifr&t=impsecorg-20&p=8&asins=B000BAV2FG&IS2=1&amp;lt1=_blank"><MAP NAME="boxmap-p8"><AREA SHAPE="RECT" COORDS="14, 200, 103, 207" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" ><AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/impsecorg-20" ></map><img src="http://rcm-images.amazon.com/images/G/01/rcm/120x240.gif" width="120" height="240" border="0" usemap="#boxmap-p8" alt="Shop at Amazon.com"></iframe>    
   67 </td>
   68 </tr>
   69 </table>         
   71 <P>
   72 <HR WIDTH="50%" ALIGN="CENTER">
   73 <P>
   75 Site Index:
   76 <UL>
   77 <LI><A HREF="#news">Latest news</A></LI>
   78 <LI><A HREF="sanitizer-intro.html">Introduction</A></LI>
   79 <LI><A HREF="sanitizer-threats.html">Email-based threats to computer security</A></LI>
   80 <LI><A HREF="sanitizer-download.html">Obtaining and installing the Sanitizer</A></LI>
   81 <LI><A HREF="sanitizer-configuration.html">Configuring the Sanitizer</A></LI>
   82 <LI><A HREF="procmail-on-gateway.txt">Installing the Sanitizer on
   83 an inbound mail relay</A></LI>
   84 <LI><A HREF="outgoing.tar.gz">Installing the Sanitizer on
   85 an outbound mail relay (version I)</A></LI>
   86 <LI><A HREF="sanitizer-changelog.html">the Sanitizer change log</A></LI>
   87 <LI><A HREF="sanitizer-unmangle.html">Unmangling mangled attachments</A></LI>
   88 <LI><A HREF="sanitizer-comments.html">User comments</A></LI>
   89 <LI><A HREF="http://www.impsec.org/mailman/listinfo/esd-l">the Mailing List</A>
   90 <LI><A HREF="http://www.impsec.org/pipermail/esd-l">the Mailing List archives</A>
   91 <LI>Download <A HREF="html-trap.procmail.gz">the current Sanitizer</A>
   92 ( version
   93 1.151
   94 )</LI>
   95 <LI>Download <A HREF="procmail-sanitizer.tar.gz">the current Sanitizer tarball</A></LI>
   96 <LI>Download <A HREF="html-trap.procmail.nomacroscan.gz">the current non-macro-scan Sanitizer</A></LI>
   97 <LI>Download <A HREF="poisoned-files">the current recommended Poisoned Files list</A></LI>
   98 <LI>Download <A HREF="poisoned-files-zip">the current recommended Poisoned Zipped Files list</A></LI>
   99 <LI>Download <A HREF="local-rules.procmail">the current sample Local Rules script
  100 (signature-based worm identification)</A></LI>
  101 <LI>Browse <A HREF="development/">the development area</A></LI>
  102 <LI>Download <A HREF="testzip.pl">Yves Agostini's zip scanning ruleset.</A>
  103 Run it before pre-1.141 sanitizers to scan .ZIP attachments for executables.</LI>
  104 <LI>Download <A HREF="SA-Sanitizer.patch">a patch for SpamAssassin 2.63</A>
  105 that lets
  106 <A HREF="http://www.spamassassin.org">SpamAssassin</A>
  107 recognize and properly score defanged HTML - use if
  108 you're running SpamAssassin <I>after</I> the sanitizer.
  109 <LI>Download <A HREF="sb-filterevasion.patch.gz">a patch for SpamBouncer 1.9</A>
  110 that lets
  111 <A HREF="http://www.spambouncer.org">SpamBouncer</A>
  112 recognize and properly score defanged HTML - use if
  113 you're running SpamBouncer <I>after</I> the sanitizer. (Thanks to Joe Steele!)
  114 </UL>
  116 <P>
  117 <HR WIDTH="50%" ALIGN="CENTER">
  118 <H3>Filtering Email for Security</H3>
  120 <A HREF="http://www.procmail.org/"><STRONG>Procmail</STRONG></A>
  121 is a program that processes email messages looking for particular information
  122 in the headers or body of each message, and takes actions based on what it
  123 finds. If you're familiar with the concept of "rules" as provided in many major
  124 user mail clients (such as the cc:Mail client), then you are already familiar
  125 with the concept of
  126 <A HREF="http://www.best.com/~ii/internet/faqs/launchers/mail/filtering-faq/">automatically
  127 processing email messages based on their content</A>.
  129 <P>
  131 This procmail ruleset is specifically designed to &quot;sanitize&quot;
  132 your email on the mail server, before your users even attempt to
  133 retrieve their messages. It is <i>not</i> intended for end users to
  134 install on their Windows desktop systems for personal protection.
  136 <P>
  137 <HR WIDTH="50%" ALIGN="CENTER">
  138 <A NAME="news"></A><H4>News &amp; Notes</H4>
  140 <P>
  142 <TD width="80%" valign="top">
  144 <A HREF="http://www.impsec.org/email-tools/html-trap.procmail.gz">The
  145 current version of the <TT>html-trap.procmail</TT> ruleset</A> is: <B>
  146  1.151
  147 </B><BR>
  148 It is recommended you update your copy if your version is older, as
  149 bugfixes and filtering for newer exploits will have been added. See
  150 <A HREF="sanitizer-changelog.html">the history of changes</A> for details.
  152 <P>
  153 The esa-l and esd-l mailing lists have been restored and are now hosted by impsec.org.
  154 Thanks to Michael Ghens for his generous hosting of the lists for five years!
  156 <P>
  157 There is an
  158 <a href="http://www.impsec.org/mailman/listinfo/esa-l">announcements mailing list</a>
  159 for email security issues. It will primarily
  160 carry information on new exploits and updates of the sanitizer. To subscribe,
  161 send a message with the subject "subscribe" to
  162 <A HREF="mailto:esa-l-request@impsec.org?subject=subscribe">esa-l-request@impsec.org</a>.
  163 This is a strongly moderated list for announcements only, not general discussion.
  164 <P>
  165 If you want to join the
  166 <a href="http://www.impsec.org/mailman/listinfo/esd-l">sanitizer discussion mailing list,</a> 
  167 send a message with the subject "subscribe" to
  168 <A HREF="mailto:esd-l-request@impsec.org?subject=subscribe">esd-l-request@impsec.org</a>.
  169 This is a members-only list; to post to it you <I>must</I> join.
  170 There is also <A HREF="http://www.impsec.org/pipermail/esd-l">an
  171 archive of messages</A> available.
  173 </TD>
  175 <TD width="0%">
  176 <table border="0" cellpadding="0" cellspacing="0">
  177 <TR><TD>
  178 <h5 align="center">Click below to receive email when this page changes</h5>
  179 </TD></TR>
  181 <TR><TD align="center">
  182 <form action="http://www.ChangeDetection.com/detect.html" method="get" target=ChangeDetectionWiz>
  183 <h5 align="center">...using
  184 <a href="http://www.ChangeDetection.com/">ChangeDetection</a>:</h5>
  185 <INPUT TYPE="TEXT" NAME="email" SIZE="24" value="Enter your email address"><br><br>
  186 <small>
  187 <input type="submit" name="enter" value=" OK "
  188 Onclick="window.open('', 'ChangeDetectionWiz', 'resizable=yes,scrollbars=yes,width=624,height=460');return true">
  189 </small>
  190 <a href="http://www.ChangeDetection.com/privacy.html" target=ChangeDetectionPrivacy
  191 Onclick="window.open('http://www.ChangeDetection.com/privacy.html', 'ChangeDetectionPrivacy', 'resizable=yes,scrollbars=yes,width=624,height=400');return false">
  192 <h6>ChangeDetection privacy statement</h6></a>
  193 </FORM>
  194 </TD></TR>
  196 </TABLE>
  197 </TD>
  199 </TR></TABLE>
  201 <P>
  203 1.142 fixes a minor bug in 1.141 that makes zipfile filename matching too greedy.
  205 <P>
  207 1.141 now permits scanning of ZIP archive contents. NOTICE: if you
  208 do not explicitly specify a ZIPPED_EXECUTABLES policy file, the
  209 sanitizer will default to your POISONED_EXECUTABLES policy file for
  210 processing ZIP archive contents. This is probably more paranoid than
  211 you wish to be. See the
  212 <A HREF="sanitizer-configuration.html">Configuring the Sanitizer</A></LI>
  213 page for more details.
  214 <P>
  216 <!-- BEGIN NovArg emergency alert -->
  218 <HR width="50%">
  222 If you have downloaded and are using the 1.139 sanitizer, here is a patch
  223 to make it ignore the forged part of NovArg/MyDoom Received: headers and stop
  224 notifying nonexistent sender addresses about the attack. Please apply this
  225 patch to your sanitizer using the instructions below and help reduce the insane
  226 amount of traffic this monster is generating...
  227 <P>
  228 [
  229 <A HREF="http://www.impsec.org/email-tools/smarter-reply.diff">HTTP Mirror 1 (US: WA)</A>
  230 |
  231 <A HREF="http://stonewall.lbhs.net/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 2 (US: FL)</A>
  232 |
  233 <A HREF="http://oftedal.no/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 3 (EU: NO)</A>
  234 |
  235 <A HREF="http://kanon.net/~jhardin/email-tools/smarter-reply.diff">HTTP Mirror 4 (EU: NL)</A>
  236 |
  237 <A HREF="http://grebopple.accessunited.com.au/email-tools/smarter-reply.diff">HTTP Mirror 5 (AU)</A>
  238 |
  239 <A HREF="http://impsec.fuzzitech.net/email-tools/smarter-reply.diff">HTTP Mirror 6 (AU)</A>
  240 |
  241 <A HREF="http://eucleides.com/sanitizer/smarter-reply.diff">HTTP Mirror 7 (US: WA)</A>
  242 |
  243 <A HREF="ftp://ftp.rubyriver.com/pub/jhardin/antispam/smarter-reply.diff">FTP Mirror 1 (US: UT)</A>
  244 ]
  245 <P>
  246 Installation instructions:
  247 <P>
  248 Copy the .diff file to the directory where your sanitizer lives and
  249 run the following commands:
  250 <BLOCKQUOTE><PRE><TT>cp html-trap.procmail html-trap.procmail.old
  251 patch &lt; smarter-reply.diff</TT><PRE></BLOCKQUOTE>
  254 <HR width="50%">
  256 <!-- END NovArg emergency alert -->
  258 <P>
  259 The 1.139 Sanitizer includes detection of Microsoft Office VBE buffer overflow
  260 attacks. See <A HREF="http://www.securityfocus.com/archive/1/336027/2003-08-31/2003-09-06/0">the
  261 EEye alert</A> for more details.
  263 <P>
  264 SoBig.F rules for direct attacks and bounces are in
  265 <A HREF="local-rules.procmail">the sample local-rules file</A>
  266 now.
  268 <P>
  269 Please see
  270 <A HREF="local-rules.procmail">the sample local-rules file</A> for a rule
  271 that should detect and quarantine messages designed to attack the
  272 <A HREF="http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950">Sendmail
  273 header parsing remote-root bug</A>.
  274 <I>IMPORTANT:</I> This rule will <I>NOT</I> protect the machine it is
  275 installed on. You must still update your sendmail. It may, however, protect
  276 vulnerable machines behind the machine it is running on, giving you time
  277 to update them.
  279 <P>
  280 If you are getting errors like
  281 "<B><TT>sendmail:&nbsp;illegal&nbsp;option&nbsp;--&nbsp;U</TT></B>"
  282 see <A HREF="sanitizer-configuration.html#MTA_FLAGS_CMDLN">the
  283 configuration page for how to fix it.</A>
  285 <P>
  286 If you are experiencing the &quot;Dropped F&quot; problem (where the
  287 &quot;F&quot; in the leading &quot;From&quot; in the message is being
  288 deleted), please note: this is a known problem in procmail. It may be fixed
  289 in the current release, you may want to upgrade. The problem occurs when a
  290 filter action returns an error. In that situation procmail may lose the
  291 first byte of the message. MAKE SURE your log file has 622 permissions.
  292 Also, <A HREF="development/checkfrom.procmail">here is a short rule that
  293 will help clean it up</A>, add it to the end of your
  294 <CODE>/etc/procmailrc</CODE> file.
  296 <P>
  297 (Planning for) <A HREF="development/sanitizer/">development of the 2.0 sanitizer</A>
  298 has begun. The planned feature list looks something like this:
  299 <UL>
  300   <LI>Policy-file-based attachment handling ($MANGLE_EXTENSIONS goes
  301 away)</LI>
  302   <LI>Internationalization support via GNU gettext or something similar</LI>
  303   <LI>Proper handling of encoded filenames</LI>
  304   <LI>Folding the header-length and HTML-defanging code into the main
  305 perl script, to minimize perl process initializations</LI>
  306   <LI>The perl script will be separated out (no longer inline)</LI>
  307   <LI>Moving from mimencode and mktemp to MIME::Base64 and
  308 File::MkTemp</LI>
  309   <LI>Logging into the message itself (adding a new MIME text
  310 attachment listing what happened during the sanitization) with the
  311 ability to add site-specific note files</LI>
  312   <LI>Peering into MS-TNEF attachments. I hope to have full policy and
  313 macro scanning support, but the policy will probably have to be
  314 applied to the MS-TNEF attachment <I>in toto</I> (e.g. if one part of
  315 it is to be stripped, the entire thing gets stripped).</LI>
  316   <LI>Optional de-BASE64ing of text and HTML attachments, so that they
  317 can be subject to spam filtering after the sanitizer.</LI>
  318 </UL>
  319 Beta announcements will be made to the mailing list.
  321 <P>
  323 I can be contacted at 
  324 <A HREF="mailto:jhardin@impsec.org">&lt;jhardin@impsec.org&gt;</A>
  325 - you could also
  326 <A HREF="http://www.impsec.org/~jhardin/">visit my home page</A>.
  328 <P>
  329 <SMALL>
  330 Several people have asked me why I don't charge for this
  331 package. I suppose this is primarily due to the fact that I don't
  332 think anybody should be exposed to these attacks simply because they
  333 don't want to or can't afford to buy something to protect themselves,
  334 but it also has to do with the fact that I view this as an interesting
  335 intellectual challenge, a way to gain recognition, and a way to give
  336 back to the community.
  337 <BR>
  338 However, if you feel like paying for receiving something of
  339 value that has improved your life, then feel free to
  340 <A HREF="http://www.impsec.org/~jhardin/wishlist.html">visit my personal wish
  341 list</A> or
  342 <A HREF="http://www.amazon.com/o/registry/3QMZ5V0VJGNAH">my Amazon wish
  343 list</A>, or send me a donation via PayPal and lament that
  344 nobody's done TequilaPal yet.
  345 </SMALL>
  347 <P>
  348 <HR>
  349 <IMG SRC="vi.fischer.handcrafted_using_vi.png" ALT="Created with vi" ALIGN=middle>
  350 &nbsp;
  351 <!--
  352 <A HREF="http://www.cast.org/bobby">
  353 <IMG SRC="http://www.cast.org/bobby/images/approved.gif" ALT="Bobby approved"
  354 ALIGN=middle WIDTH="131" HEIGHT="40"></A>
  355 &nbsp;
  356 -->
  357 <A HREF="http://www.anybrowser.org/campaign/">Best viewed with 
  358 <EM>Any</EM> Browser</a>
  360 <P>
  361 <H6>$Id: procmail-security.html,v 1.189 2006-01-20 07:40:08-08 jhardin Exp jhardin $
  362 <BR>
  363 Contents Copyright (C) 2006 by John D. Hardin - All Rights Reserved.
  364 <BR>
  365 The primary Sanitizer home page is at
  366 <CODE><A HREF="http://www.impsec.org/email-tools/procmail-security.html">http://www.impsec.org/email-tools/procmail-security.html</A></CODE>
  367 </H6>
  369 <A HREF="http://www.herdthinners.com/"><IMG SRC="http://www.herdthinners.com/gifs/2001/0905.gif"></A>
  370 <A HREF="http://www.herdthinners.com/"><IMG SRC="http://www.herdthinners.com/gifs/2001/0906.gif"></A>
  371 <BR>
  372 ...my office is in my basement...
  374 <P>
  375 <SMALL><SMALL><SMALL>Helping <A HREF="http://www.xenu.net/">OC</A> out: gratuitous <A HREF="http://www.xenu.net/">scientology</A> link</SMALL></SMALL></SMALL>
  376 <SMALL><SMALL><SMALL>More linktivism:
  377 <A HREF="http://daringfireball.net/2003/12/enderle">Rob Enderle</A>
  378 </SMALL></SMALL></SMALL>
  380 </BODY>
  381 </HTML>