|
Welcome to the home page of the Email Sanitizer.
The Sanitizer is a tool for preventing
attacks on your computer's security
via email messages. It has proven to be very effective against the
Microsoft Outlook email worms that have gotten so much attention in the
popular press and that have caused so much trouble.
The Sanitizer's intended audience is administrators of mail systems. It is not generally intended for end users, unless they administer their own mail systems rather than simply telling their mail program to retrieve messages from a mail server administered by someone else. If you are here because you've gotten a message saying that a piece of mail you sent has been rejected, or because the URL for this website appears in a piece of mail you've received, or because you're wondering why your email attachments are suddenly named DEFANGED, please read this introduction to the Sanitizer - it should answer your questions. Let me know if it doesn't. Please note that the sanitizer is NOT a traditional virus scanner. It does not rely on "signatures" to detect attacks and does not have the "window of vulnerability" problems that signature-based security always has; rather it lets you enforce policies like "email should not be scripted", and "macros in Microsoft Office document attachments should not access the Windows registry", and "email should not have Windows executable file attachments", and quarantines messages that violate those policies. |
Site Index:
This combination procmail ruleset and Perl script is specifically designed to "sanitize" your email on the mail server, before your users even attempt to retrieve their messages. It is not intended for end users to install on their Windows desktop systems for personal protection.
|
The
current version of the html-trap.procmail ruleset is:
1.151
It is recommended you update your copy if your version is older, as bugfixes and filtering for newer exploits will have been added. See the history of changes for details. I've been continuing to use the Sanitizer in production even though development has quieted greatly in the past few years and is mostly driven now by my needs rather than user requests. It is still useful, and still blocks attempted malware delivery, even of exploits that virus scanners do not yet detect. I have, however, not been keeping the website up-to-date, so I'm doing that now. I suggest if you are still using the Sanitizer you take a look at the development release ( 1.152pre8 ) for ongoing changes and improvements, most notably update of the Office macro scanner for downloaded malware.
There is
a
buffer overflow vulnerability in the DUNZIP32.dll zipfile library
used by many commercial programs, including Lotus Notes and Real Audio Player.
Exploits for this vulnerability are IN THE WILD. If you use Notes or some
other software that handles ZIP archives, contact your
vendor to see if there is an update available.
There is a small patch for versions 1.151 and earlier that defangs a method of obfuscating embedded javascript. To apply the patch, save the patch to the directory where your sanitizer is saved (typically /etc/procmail) and run the following command: The esa-l and esd-l mailing lists have been restored and are now hosted by impsec.org. Thanks to Michael Ghens for his generous hosting of the lists for five years! There is an announcements mailing list for email security issues. It will primarily carry information on new exploits and updates of the sanitizer. To subscribe, send a message with the subject "subscribe" to esa-l-request@impsec.org. This is a strongly moderated list for announcements only, not general discussion. If you want to join the sanitizer discussion mailing list, send a message with the subject "subscribe" to esd-l-request@impsec.org. This is a members-only list; to post to it you must join. There is also an archive of messages available. |
|
1.142 fixes a minor bug in 1.141 that makes zipfile filename matching too greedy.
1.141 now permits scanning of ZIP archive contents. NOTICE: if you do not explicitly specify a ZIPPED_EXECUTABLES policy file, the sanitizer will default to your POISONED_EXECUTABLES policy file for processing ZIP archive contents. This is probably more paranoid than you wish to be. See the Configuring the Sanitizer page for more details.
If you have downloaded and are using the 1.139 sanitizer, here is a patch to make it ignore the forged part of NovArg/MyDoom Received: headers and stop notifying nonexistent sender addresses about the attack. Please apply this patch to your sanitizer using the instructions below and help reduce the insane amount of traffic this monster is generating...[ HTTP Mirror 1 (US: WA) | HTTP Mirror 2 (US: FL) | HTTP Mirror 3 (EU: NO) | HTTP Mirror 4 (EU: NL) | HTTP Mirror 5 (AU) | HTTP Mirror 6 (AU) | HTTP Mirror 7 (US: WA) ]
Installation instructions:
Copy the .diff file to the directory where your sanitizer lives and run the following commands:
cp html-trap.procmail html-trap.procmail.old patch < smarter-reply.diff
The 1.139 Sanitizer includes detection of Microsoft Office VBE buffer overflow attacks. See the EEye alert for more details.
SoBig.F rules for direct attacks and bounces are in the sample local-rules file now.
Please see the sample local-rules file for a rule that should detect and quarantine messages designed to attack the Sendmail header parsing remote-root bug. IMPORTANT: This rule will NOT protect the machine it is installed on. You must still update your sendmail. It may, however, protect vulnerable machines behind the machine it is running on, giving you time to update them.
If you are getting errors like "sendmail: illegal option -- U" see the configuration page for how to fix it.
If you are experiencing the "Dropped F" problem (where the
"F" in the leading "From" in the message is being
deleted), please note: this is a known problem in procmail. It may be fixed
in the current release, you may want to upgrade. The problem occurs when a
filter action returns an error. In that situation procmail may lose the
first byte of the message. MAKE SURE your log file has 622 permissions.
Also, here is a short rule that
will help clean it up, add it to the end of your
/etc/procmailrc file.
(Planning for) development of the 2.0 sanitizer has begun. The planned feature list looks something like this:
I can be contacted at <jhardin@impsec.org> - you could also visit my home page.
Several people have asked me why I don't charge for this
package. I suppose this is primarily due to the fact that I don't
think anybody should be exposed to these attacks simply because they
don't want to or can't afford to buy something to protect themselves,
but it also has to do with the fact that I view this as an interesting
intellectual challenge, a way to gain recognition, and a way to give
back to the community.
However, if you feel like paying for receiving something of
value that has improved your life, then feel free to
visit my personal wish
list or
my Amazon wish
list, or send me a donation via PayPal and lament that
nobody's done TequilaPal yet.
Best viewed with
Any Browser
Helping OC out: gratuitous scientology link More linktivism: Rob Enderle Jihad Watch