[Esa-l] ANN: Sanitizer Update

John D. Hardin jhardin at wolfenet.com
Sat May 13 18:20:23 PDT 2000 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The procmail sanitizer has been updated. The current version is 1.107
It is available via:

US: ftp://ftp.rubyriver.com/pub/jhardin/antispam/procmail-security.html
EU: ftp://kanon.net/pub/jhardin/antispam/procmail-security.html

- From the News section of the home page:

05/13/00 Made sender notification optional.
Added ability to specify executable extensions list in configuration file.
No more script updates for new executables! Site-customized executable mangling!


-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv

iQA/AwUBOR3xJNgi5ua4cy55EQJfCwCghDil94uBsipYgAEpSHhvMOE/spwAnRQ8
MfbX8YwryUKlMp9J2UR49OI9
=qvcd
-----END PGP SIGNATURE-----

--
 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
-----------------------------------------------------------------------
   169 days until Daylight Savings Time ends



Return-Path: <owner-esa-l at merlin.spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.lariat.org (lariat.org [12.23.109.2])
	by merlin.spconnect.com (Postfix) with SMTP id 15F08BFEB
	for <esa-l at spconnect.com>; Sat, 13 May 2000 18:16:24 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA07658;
	Sat, 13 May 2000 19:16:17 -0600 (MDT)
Message-Id: <4.3.1.2.20000513191206.04478de0 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Sat, 13 May 2000 19:16:13 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>
From: Brett Glass <brett at lariat.org>
Subject: Re: [Esa-l] ANN: Sanitizer Update
Cc: Email Security Announce list <esa-l at spconnect.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security  <esa-l.spconnect.com>

Oops! A correction to my prior message. The Trojan that exhibits 
the behavior I mentioned -- acting as a deceptive autoresponder --
is not PrettyPark. It's ExploreZip. I'm constantly stamping out
both, and so confused the two.

--Brett

"I am, uh, BillGatus of Borg. Competition is futile. You will
be integrated." --Brett Glass (After Jack Rickard)



Return-Path: <owner-esa-l at merlin.spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.lariat.org (lariat.org [12.23.109.2])
	by merlin.spconnect.com (Postfix) with SMTP id 93DB9BFEB
	for <esa-l at spconnect.com>; Sat, 13 May 2000 18:06:19 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id TAA07595;
	Sat, 13 May 2000 19:06:04 -0600 (MDT)
Message-Id: <4.3.1.2.20000513190356.04502290 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Sat, 13 May 2000 19:06:01 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>
From: Brett Glass <brett at lariat.org>
Subject: Re: [Esa-l] ANN: Sanitizer Update
Cc: Email Security Announce list <esa-l at spconnect.com>
In-Reply-To: <Pine.LNX.4.10.10005131615220.14695-100000 at gypsy.rubyriver.
 com>
References: <4.3.1.2.20000512222854.03fff100 at localhost>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security  <esa-l.spconnect.com>

At 05:16 PM 5/13/2000, John D. Hardin wrote:

>Autoresponder? You mean, if you're infected by PrettyPark it sits
>there and watches you inbound mail spool and automatically replies
>with an attack whenever a message is received??? {shudder}

Yes! The response has the same subject as the incoming
message, and of course the sender appears to be the person
you've just mailed. The body says something like, "Just got your 
message.... Will reply soon. In the meantime, look at this 
attachment."

You can see, I'm sure, why this would be persuasive.

--Brett


"I am, uh, BillGatus of Borg. Competition is futile. You will
be integrated." --Brett Glass (After Jack Rickard)



Return-Path: <owner-esa-l at merlin.spconnect.com>
Delivered-To: esa-l at spconnect.com
Received: from lariat.lariat.org (lariat.org [12.23.109.2])
	by merlin.spconnect.com (Postfix) with SMTP id 202E9BFE8
	for <esa-l at spconnect.com>; Fri, 12 May 2000 21:36:14 -0700 (PDT)
Received: from mustang.lariat.org (IDENT:ppp0.lariat.org at lariat.org [12.23.109.2])
	by lariat.lariat.org (8.9.3/8.9.3) with ESMTP id WAA06252;
	Fri, 12 May 2000 22:35:56 -0600 (MDT)
Message-Id: <4.3.1.2.20000512222854.03fff100 at localhost>
X-Sender: brett at localhost
X-Mailer: QUALCOMM Windows Eudora Version 4.3.1
Date: Fri, 12 May 2000 22:35:53 -0600
To: "John D. Hardin" <jhardin at wolfenet.com>,
	Email Security Announce list <esa-l at spconnect.com>
From: Brett Glass <brett at lariat.org>
Subject: Re: [Esa-l] ANN: Sanitizer Update
In-Reply-To: <Pine.LNX.4.10.10005121501400.7545-100000 at gypsy.rubyriver.c
 om>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: esa-l-admin at spconnect.com
Errors-To: esa-l-admin at spconnect.com
X-BeenThere: esa-l at spconnect.com
X-Mailman-Version: 2.0beta2
Precedence: bulk
List-Id: Email Security  <esa-l.spconnect.com>

John:

I'd like to install version 1.06 of the sanitizer, but am worried about some serious untoward effects that it might cause! You say:

"If SECURITY_NOTIFY or SECURITY_NOTIFY_VERBOSE are set, then the message sender will also be notified of the message being trapped."

This new behavior (at least I *think* it's new; I don't recall seeing a mention of it before) is worrisome. We don't necessarily want to notify the sender automatically, since many Trojans (e.g. PrettyPark) are autoresponders and will send mail back! What's more, the response will be a fresh copy of the Trojan, so the cycle will not be broken by an anti-looping header.

--Brett

"Microsoft is continually protecting its turf, even if that
turf appears to the rest of us as belonging to a company other 
than Microsoft." -- Mark Stephens, AKA Robert X. Cringely

More information about the esd-l mailing list