www.impsec.org/email-tools/procmail-security.html
It has proven to be very effective against the Microsoft Outlook email worms that have gotten so much attention in the popular press and that have caused so much trouble. The Sanitizer's intended audience is administrators of mail systems. It is not generally intended for end users, unless they administer their own mail systems rather then simply telling their mail program to retrieve messages from a mail server administered by someone else.
introduction to the Sanitizer - it should answer your questions. Please note that the sanitizer is NOT a traditional virus scanner. It does not rely on "signatures" to detect attacks and does not have the "window of vulnerability" problems that signature-based security always has; rather it lets you enforce policies like "email should not be scripted", and "macros in Microsoft Office document attachments should not access access the Windows registry", and "email should not have Windows executable file attachments", and quarantines messages that violate those policies.
Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds.
automatically processing email messages based on their content. This procmail ruleset is specifically designed to "sanitize" your email on the mail server, before your users even attempt to retrieve their messages. It is not intended for end users to install on their Windows desktop systems for personal protection.
ChangeDetection privacy statement 1142 fixes a minor bug in 1141 that makes zipfile filename matching too greedy. NOTICE: if you do not explicitly specify a ZIPPED_EXECUTABLES policy file, the sanitizer will default to your POISONED_EXECUTABLES policy file for processing ZIP archive contents.
IMPORTANT NOTICE: If you have downloaded and are using the 1139 sanitizer, here is a patch to make it ignore the forged part of NovArg/MyDoom Received: headers and stop notifying nonexistent sender addresses about the attack. Please apply this patch to your sanitizer using the instructions below and help reduce the insane amount of traffic this monster is generating...
IMPORTANT: This rule will NOT protect the machine it is installed on. It may, however, protect vulnerable machines behind the machine it is running on, giving you time to update them.
If you are experiencing the "Dropped F" problem (where the "F" in the leading "From" in the message is being deleted), please note: this is a known problem in procmail. It may be fixed in the current release, you may want to upgrade. The problem occurs when a filter action returns an error. In that situation procmail may lose the first byte of the message.
The planned feature list looks something like this: * Policy-file-based attachment handling ($MANGLE_EXTENSIONS goes away) * Internationalization support via GNU gettext or something similar * Proper handling of encoded filenames * Folding the header-length and HTML-defanging code into the main perl script, to minimize perl process initializations * The perl script will be separated out (no longer inline) * Moving from mimencode and mktemp to MIME::Base64 and File::MkTemp * Logging into the message itself (adding a new MIME text attachment listing what happened during the sanitization) with the ability to add site-specific note files * Peering into MS-TNEF attachments. I hope to have full policy and macro scanning support, but the policy will probably have to be applied to the MS-TNEF attachment in toto (eg if one part of it is to be stripped, the entire thing gets stripped).
Several people have asked me why I don't charge for this package. I suppose this is primarily due to the fact that I don't think anybody should be exposed to these attacks simply because they don't want to or can't afford to buy something to protect themselves, but it also has to do with the fact that I view this as an interesting intellectual challenge, a way to gain recognition, and a way to give back to the community.
|
http://csua.com/feed/