Enhancing E-Mail Security With Procmail

the E-mail Sanitizer

Home

Translation to Russian by Evgeni <saaw at mail.ru> - Original document on the author's website
Traducción al español por María Ramos <mariar at webhostinghub.com>, de http://www.webhostinghub.com/support/edu


Welcome to the home page of the Email Sanitizer. The Sanitizer is a tool for preventing attacks on your computer's security via email messages. It has proven to be very effective against the Microsoft Outlook email worms that have gotten so much attention in the popular press and that have caused so much trouble.

The Sanitizer's intended audience is administrators of mail systems. It is not generally intended for end users, unless they administer their own mail systems rather than simply telling their mail program to retrieve messages from a mail server administered by someone else.

If you are here because you've gotten a message saying that a piece of mail you sent has been rejected, or because the URL for this website appears in a piece of mail you've received, or because you're wondering why your email attachments are suddenly named DEFANGED, please read this introduction to the Sanitizer - it should answer your questions. Let me know if it doesn't.

Please note that the sanitizer is NOT a traditional virus scanner. It does not rely on "signatures" to detect attacks and does not have the "window of vulnerability" problems that signature-based security always has; rather it lets you enforce policies like "email should not be scripted", and "macros in Microsoft Office document attachments should not access the Windows registry", and "email should not have Windows executable file attachments", and quarantines messages that violate those policies.


Site Index:


Filtering Email for Security

Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds. If you're familiar with the concept of "rules" as provided in many major user mail clients (such as the cc:Mail client), then you are already familiar with the concept of automatically processing email messages based on their content.

This combination procmail ruleset and Perl script is specifically designed to "sanitize" your email on the mail server, before your users even attempt to retrieve their messages. It is not intended for end users to install on their Windows desktop systems for personal protection.


News & Notes

The current version of the html-trap.procmail ruleset is: 1.151
It is recommended you update your copy if your version is older, as bugfixes and filtering for newer exploits will have been added. See the history of changes for details.

I've been continuing to use the Sanitizer in production even though development has quieted greatly in the past few years and is mostly driven now by my needs rather than user requests. It is still useful, and still blocks attempted malware delivery, even of exploits that virus scanners do not yet detect. I have, however, not been keeping the website up-to-date, so I'm doing that now. I suggest if you are still using the Sanitizer you take a look at the development release ( 1.152pre8 ) for ongoing changes and improvements, most notably update of the Office macro scanner for downloaded malware.


There is a buffer overflow vulnerability in the DUNZIP32.dll zipfile library used by many commercial programs, including Lotus Notes and Real Audio Player. Exploits for this vulnerability are IN THE WILD. If you use Notes or some other software that handles ZIP archives, contact your vendor to see if there is an update available.
In an attempt to mitigate this vulnerability, the development version of the sanitizer has implemented filename length checks on the archived filenames. If you don't wish to try the development snapshot, a patch that adds the zipped-filename length tests to the existing ZIP scanning is available. It is against 1.151 but it should work on any release that has ZIP scanning.

There is a small patch for versions 1.151 and earlier that defangs a method of obfuscating embedded javascript. To apply the patch, save the patch to the directory where your sanitizer is saved (typically /etc/procmail) and run the following command:

patch --backup <obfuscated_javascript.patch
This will be in the next stable release.

The esa-l and esd-l mailing lists have been restored and are now hosted by impsec.org. Thanks to Michael Ghens for his generous hosting of the lists for five years!

There is an announcements mailing list for email security issues. It will primarily carry information on new exploits and updates of the sanitizer. To subscribe, send a message with the subject "subscribe" to esa-l-request@impsec.org. This is a strongly moderated list for announcements only, not general discussion.

If you want to join the sanitizer discussion mailing list, send a message with the subject "subscribe" to esd-l-request@impsec.org. This is a members-only list; to post to it you must join. There is also an archive of messages available.

Click below to receive email when this page changes
...using ChangeDetection:


ChangeDetection privacy statement

1.142 fixes a minor bug in 1.141 that makes zipfile filename matching too greedy.

1.141 now permits scanning of ZIP archive contents. NOTICE: if you do not explicitly specify a ZIPPED_EXECUTABLES policy file, the sanitizer will default to your POISONED_EXECUTABLES policy file for processing ZIP archive contents. This is probably more paranoid than you wish to be. See the Configuring the Sanitizer page for more details.


IMPORTANT NOTICE:
If you have downloaded and are using the 1.139 sanitizer, here is a patch to make it ignore the forged part of NovArg/MyDoom Received: headers and stop notifying nonexistent sender addresses about the attack. Please apply this patch to your sanitizer using the instructions below and help reduce the insane amount of traffic this monster is generating...

[ HTTP Mirror 1 (US: WA) | HTTP Mirror 2 (US: FL) | HTTP Mirror 3 (EU: NO) | HTTP Mirror 4 (EU: NL) | HTTP Mirror 5 (AU) | HTTP Mirror 6 (AU) | HTTP Mirror 7 (US: WA) ]

Installation instructions:

Copy the .diff file to the directory where your sanitizer lives and run the following commands:

cp html-trap.procmail html-trap.procmail.old
patch < smarter-reply.diff

The 1.139 Sanitizer includes detection of Microsoft Office VBE buffer overflow attacks. See the EEye alert for more details.

SoBig.F rules for direct attacks and bounces are in the sample local-rules file now.

Please see the sample local-rules file for a rule that should detect and quarantine messages designed to attack the Sendmail header parsing remote-root bug. IMPORTANT: This rule will NOT protect the machine it is installed on. You must still update your sendmail. It may, however, protect vulnerable machines behind the machine it is running on, giving you time to update them.

If you are getting errors like "sendmail: illegal option -- U" see the configuration page for how to fix it.

If you are experiencing the "Dropped F" problem (where the "F" in the leading "From" in the message is being deleted), please note: this is a known problem in procmail. It may be fixed in the current release, you may want to upgrade. The problem occurs when a filter action returns an error. In that situation procmail may lose the first byte of the message. MAKE SURE your log file has 622 permissions. Also, here is a short rule that will help clean it up, add it to the end of your /etc/procmailrc file.

(Planning for) development of the 2.0 sanitizer has begun. The planned feature list looks something like this:

Beta announcements will be made to the mailing list.

I can be contacted at <jhardin@impsec.org> - you could also visit my home page.

Several people have asked me why I don't charge for this package. I suppose this is primarily due to the fact that I don't think anybody should be exposed to these attacks simply because they don't want to or can't afford to buy something to protect themselves, but it also has to do with the fact that I view this as an interesting intellectual challenge, a way to gain recognition, and a way to give back to the community.
However, if you feel like paying for receiving something of value that has improved your life, then feel free to visit my personal wish list or my Amazon wish list, or send me a donation via PayPal and lament that nobody's done TequilaPal yet.


Created with vi   Best viewed with Any Browser

$Id: procmail-security.html,v 1.196 2014-07-11 09:05:22-07 jhardin Exp jhardin $
Contents Copyright (C) 2007 by John D. Hardin - All Rights Reserved.
The primary Sanitizer home page is at http://www.impsec.org/email-tools/procmail-security.html

...my office is in my basement...

Helping OC out: gratuitous scientology link More linktivism: Rob Enderle