[Esd-l] ANN: Sanitizer update - 1.135 released

John D. Hardin jhardin at impsec.org
Sun May 26 22:12:01 PDT 2002

Hash: SHA1

The procmail sanitizer has been updated. The current version is 1.135
It is available via:

US/WA:  http://www.impsec.org/email-tools/procmail-security.html
US/FL:  http://stonewall.lbhs.net/~jhardin/email-tools/procmail-security.html
EU/NO:  http://jhardin.oftedal.no/email-tools/procmail-security.html
EU/NL:  http://kanon.net/~jhardin/email-tools/procmail-security.html
AU:     http://grebopple.accessunited.com.au/email-tools/procmail-security.html
AU:     http://impsec.fuzzitech.net/email-tools/procmail-security.html

Direct links to the current tarball:

US/WA:  http://www.impsec.org/email-tools/procmail-sanitizer.tar.gz
US/FL:  http://stonewall.lbhs.net/~jhardin/email-tools/procmail-sanitizer.tar.gz
EU/NO:  http://jhardin.oftedal.no/email-tools/procmail-sanitizer.tar.gz
EU/NL:  http://kanon.net/~jhardin/email-tools/procmail-sanitizer.tar.gz
AU:     http://grebopple.accessunited.com.au/email-tools/procmail-sanitizer.tar.gz
AU:     http://impsec.fuzzitech.net/email-tools/procmail-sanitizer.tar.gz

- From the changelog:

05/26/2002 (1.135)
Smarten $SECURITY_NOTIFY_SENDER up to reduce spoofing by forged
 headers; disable this by setting $SECURITY_DISABLE_SMART_REPLY to
 any value; side-effect is the sender address is now taken from the
 Return-Path: header instead of the From: header.
Add original message headers to sender notification message.
Allow override of FROM address on notifications; set
 $SECURITY_LOCAL_POSTMASTER to the address to use, e.g.
 "abuse at myrootdomain.com".
Set envelope FROM address so bounced notifications go to admin rather than
 user; this is done in the default $MTA_FLAGS_HDRS so if you
 override that you'll want to make sure you use the appropriate flags in
 your custom command line.
Option to notify abuse@ in addition to postmaster@ at sender domain; set
 $SECURITY_NOTIFY_SENDER_ABUSE to any value to enable.
Refine active-HTML defanging a bit in response to a bugtraq post.
Improve detection of obscured HTML tags.
Option to specify quarantine lockfile; set
 $SECURITY_QUARANTINE_LOCKFILE to a full path-and-filename
 writable by all users (e.g. "/var/tmp/quarantine.lock").
Option to log poisoned Message-IDs to a file; set
 $SECURITY_MSGID_LOG to a full path-and-filename writable by
 all users (e.g. "/var/tmp/msgid.log").
Properly enquote unquoted attachment filenames that have embedded semicolons.
Minor cosmetic changes to log messages.
Fix the "Extraneous deliver-head flag ignored" booboo.

The sanitizer home page is at

The archive of the sanitizer discussion list is at

Version: PGP 5.0
Charset: noconv


 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org                        pgpk -a jhardin at impsec.org
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
 "To disable the Internet to save EMI and Disney is the moral
  equivalent of burning down the library of Alexandria to ensure the
  livelihood of monastic scribes."
                                    -- John Ippolito of the Guggenheim
   362 days until The Matrix Reloaded

More information about the esd-l mailing list