From SmartD at VMCMAIL.com  Fri Jul  2 08:43:47 2004
From: SmartD at VMCMAIL.com (Smart,Dan)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Updated Sanitizer functionality list
Message-ID: <8E68F5A27FC613458BF7A9881D959D07DA2897@cobhm006.na.vul.com>

Here's my updated functionality list for Sarbanes-Oxley Documentation...

John Hardin's Sanitizer functionality.

HEADERS
1. Sanitize bare CR in message headers (Outlook bug). That's also in
violation of RFC822 so it's a protocol sanitizing issue.
2. Sanitize multiple null addresses (sendmail exploit).
 
^((resent-)?(sender|from|(reply-)?to|cc|bcc)|(errors|disposition-notificatio
n|apparently)-to|Return-Path): *<>.*<>.*<>.*<>.*<>.*<>.*
3. Detect and truncate Subject: headers longer then 250 characters, to
protect Outlook Express users.
4. Truncate excessively long (>500) standard headers, to address the MS
Outlook header buffer-overflow bug and to proactively protect against other
BO bugs in other mailers; 
(Mime-Version|(Resent-)?(Date|Sender|From|Reply-To)|(errors|disposition-noti
fication|apparently)-to|Message-ID|Return-Path|Status|X-Status|X-Keywords):

FIX MIME
1. Length-limit MIME boundary strings, to proactively defend against BO
bugs.
2. Check for a null MIME boundary string and supply one if necessary; this
is a major DoS attack against Microsoft Exchange
3. Sanitize MIME values that have been explicitly set to null (e.g.
encoding="") - this is a major DoS attack against Microsoft Exchange. 
4. Sanitize double backquotes in MIME headers to prevent remote attacks
against Metamail via the UW Pine MUA

ATTACHMENT HEADERS
1. Sanitize files with Microsoft Class-ID extensions. 
2. Shorten long file names to less than 120 characters
    a. Collapse runs of spaces in filenames before length-limiting. 
3. Truncate long attachment headers (vs. RFC822 message headers as you
noted), again to proactively defend against BO bugs in mailers.
4. Fix missing closed quote on filename 
5. Fix unquoted filenames
    a. Properly enquote unquoted attachment filenames that have embedded
semicolons.
6. Fix trailing periods and spaces in filename.
7. Catch encoded periods in filenames and fix encoded plain characters in
filename.
  Both because there's no reason to encode those characters other than an
attempt to bypass filtering.
8. Catch quotes-in-extension attack. Outlook/Windows ignores them. (!)
9. Remove embedded RFC822 comments
10. Fix attachment headers of the form 'text from file "xxxx"' where Outlook
helpfully looks if the filename can't be determined from the headers that
*should* have the filename.

URLs
1. Fix URL Spoofing; a.com%01@b.com
2. Fix URL Obfuscation; a.com@b.com
There's no good reason to encode plain characters other than an attempt to
bypass filtering.

WEBBUGS
1. Sanitize <IMG> tags
2. Sanitize webbug images in tables. 
3. Sanitize the <BGSOUND> tag for webbugs 4. Santize "BACKGROUND" subtag for
webbugs

TAGS
1. Sanitize the <LINK> tag.
2. Sanitize the <LAYER> tag; this is primarily of interest to people running
webmail programs.
3. Sanitize  <STYLE> tags and clauses because they can be used to hide
scripting code.
4. Detect obscured HTML tags. 
	a. Deal with attempted obscuration of tag options with &# and %
escapes.
5. Sanitize FORM tags (see bugtraq posting
http://www.securityfocus.com/archive/1/359139).


ACTIVE SCRIPT
1. Sanitize active HTML <DEFANGED_SCRIPT> tags
 	Defang OnCommands such as OnLoad and other OnCommands.
 	Defang script or mocha: (["\047\075]|url\()([a-z]+script|mocha):
 	Defang &{: 		(["\047\075])&{

ATTACHMENTS
1. Mangle/Quarantine/Strip dangerous attachments based on Extension
2. Check zip file for dangerous attachments
	a. Handles password protected zip files
	b. Handles obfuscated file names in zip
3. Check magic bits to ensure file is what it claims to be.
4. Correctly identifies obfuscated file names.
5. Handle notifications intelligently (no notes to spoofed addresses)

<<Dan>>
From jhardin at impsec.org  Mon Jul 26 21:38:57 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Warning: some .ZIP attacks not being trapped
Message-ID: <Pine.LNX.4.10.10407262130520.21049-100000@gypsy.impsec.org>

All:

A couple of zipped worms just dropped into my mailbox. The base64
encoding looks really odd, and may be explicitly crafted to bypass
scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
module *and* the mimencode program. I am investigating.

You may want to add "*.zip" to your poison list for a while.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   49 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Mon Jul 26 21:57:06 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Re: [Esa-l] Warning: some .ZIP attacks not being trapped
In-Reply-To: <Pine.LNX.4.10.10407262130520.21049-100000@gypsy.impsec.org
  >
Message-ID: <Pine.LNX.4.10.10407262155240.20913-100000@gypsy.impsec.org>

On Mon, 26 Jul 2004, John D. Hardin wrote:

> A couple of zipped worms just dropped into my mailbox. The base64
> encoding looks really odd, and may be explicitly crafted to bypass
> scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
> module *and* the mimencode program. I am investigating.

I think I understand what's happening. I have a temporary workaround
in the devel code (1.144pre6) that requires you use the CPAN base64
module.

I will try to make it more elegant and try to make it work with
mimencode as well.

If you try the devel release, PLEASE let me know if any false
positives are trapped.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   49 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Mon Jul 26 22:28:30 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Re: [Esa-l] Warning: some .ZIP attacks not being trapped
In-Reply-To: <Pine.LNX.4.10.10407262155240.20913-100000@gypsy.impsec.org
  >
Message-ID: <Pine.LNX.4.10.10407262222220.20913-100000@gypsy.impsec.org>

On Mon, 26 Jul 2004, John D. Hardin wrote:

> > A couple of zipped worms just dropped into my mailbox. The base64
> > encoding looks really odd, and may be explicitly crafted to bypass
> > scanners, as it appears to exploit a weakness in the CPAN MIME::Base64
> > module *and* the mimencode program. I am investigating.
> 
> I think I understand what's happening. I have a temporary
> workaround in the devel code (1.144pre6) that requires you use the
> CPAN base64 module.
> 
> I will try to make it more elegant and try to make it work with
> mimencode as well.

Well, I made it work with mimencode too, but it's still not elegant.

The attack is either well thought out, or sloppy coding. The
attachment's base64 encoding has lines of varying length as well as
embedded blank lines. The 1.144pre6 devel sanitizer detects
excessively short lines and poisons the message rather than crashing.
It needs refinement.

I'm testing here. Volunteer testers solicited. Let me know of false
positives.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   49 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Wed Jul 28 18:26:12 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] ANN: Email Sanitizer 1.144 released
Message-ID: <Pine.LNX.4.10.10407281823390.1351-100000@gypsy.impsec.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


The procmail sanitizer has been updated. The current version is 1.144
It is available via:

US/WA:  http://www.impsec.org/email-tools/procmail-security.html
US/WA:  http://eucleides.com/sanitizer/procmail-security.html
EU/NL:  http://kanon.net/~jhardin/email-tools/procmail-security.html
#EU/NO:  http://oftedal.no/~jhardin/email-tools/procmail-security.html
AU:     http://grebopple.accessunited.com.au/email-tools/procmail-security.html
AU:     http://impsec.fuzzitech.net/email-tools/procmail-security.html

Direct links to the current tarball:

US/WA:  http://www.impsec.org/email-tools/procmail-sanitizer.tar.gz
US/WA:  http://eucleides.com/sanitizer/procmail-sanitizer.tar.gz
EU/NL:  http://kanon.net/~jhardin/email-tools/procmail-sanitizer.tar.gz
#EU/NO:  http://oftedal.no/~jhardin/email-tools/procmail-sanitizer.tar.gz
AU:     http://grebopple.accessunited.com.au/email-tools/procmail-sanitizer.tar.gz
AU:     http://impsec.fuzzitech.net/email-tools/procmail-sanitizer.tar.gz

("commented out" mirrors are temporarily out-of-sync or unavailable)


b27ab0472f9d5f68be5e106d9ff59262  html-trap.procmail
c2d5cb20d173f6f5c15ed6f17a99b767  html-trap.procmail.nomacroscan
e5a09dc262a697e4f27c6a5fb353dfd0  procmail-sanitizer.tar.gz


- From the changelog:
07/28/2004 (1.144)
Fix subject line on recipient notification if message was discarded (Thanks to Joe Steele).
Defang webbugs in table elements.
Defang additional HTML tags.
Add $SPOOFED_SENDER handling option for reply control.
Minor bugfix in ZIP file detection and scanning.
Trap poorly-formed BASE64-encoded ZIP attachments (short lines).
Fix bug in BASE64-encoded zipfile decoding.


NOTE: Please either update to this version or apply the
1.139 Smarter-Reply patch from the website. The stock 1.139
sanitizer responds to attack messages with forged sender
addresses. This generates a great deal of useless email
backscatter.


The sanitizer home page is at
http://www.impsec.org/email-tools/procmail-security.html

The archive of the sanitizer discussion list is at
http://www.spconnect.com/mailman/listinfo/esd-l



-----BEGIN PGP SIGNATURE-----
Version: PGP 5.0
Charset: noconv

iQA/AwUBQQeeGNgi5ua4cy55EQI/qACgkLz3OTTWSZr94WtfBJ06pmp15hYAnRhI
9rl0EIYJQOzJN+Dun9fmEzbv
=fjIS
-----END PGP SIGNATURE-----

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   47 days until the "Scary-Looking Guns" ban expires
From SmartD at VMCMAIL.com  Thu Jul 29 06:46:42 2004
From: SmartD at VMCMAIL.com (Smart,Dan)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Virustest.org comprehensiveness
Message-ID: <8E68F5A27FC613458BF7A9881D959D07DA2E9D@cobhm006.na.vul.com>

John,
Could you please give me your opinion on the comprehensiveness of the
testing from virustest.org?  
 

<<Dan>>
From SmartD at VMCMAIL.com  Thu Jul 29 06:52:28 2004
From: SmartD at VMCMAIL.com (Smart,Dan)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] testvirus.org comprehensiveness
Message-ID: <8E68F5A27FC613458BF7A9881D959D07DA2E9E@cobhm006.na.vul.com>

Sorry, the correct URL is testvirus.org

<<Dan>>


 

>  -----Original Message-----
>  From: esd-l-bounces@spconnect.com 
>  [mailto:esd-l-bounces@spconnect.com] On Behalf Of Smart,Dan
>  Sent: Thursday, July 29, 2004 8:47 AM
>  To: Email Security Discussion list
>  Subject: [Esd-l] Virustest.org comprehensiveness
>  
>  John,
>  Could you please give me your opinion on the 
>  comprehensiveness of the testing from virustest.org?  
>   
>  
>  <<Dan>>
>  _______________________________________________
>  Esd-l mailing list
>  Esd-l@spconnect.com
>  http://www.spconnect.com/mailman/listinfo/esd-l
From sysadmin at polezero.com  Thu Jul 29 07:41:27 2004
From: sysadmin at polezero.com (Jason Noble)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] testvirus.org comprehensiveness
In-Reply-To: <8E68F5A27FC613458BF7A9881D959D07DA2E9E@cobhm006.na.vul.com
  >
References: <8E68F5A27FC613458BF7A9881D959D07DA2E9E@cobhm006.na.vul.com>
Message-ID: <1091112087.23149.6.camel@paradox>

Well adding this to the poisoned files list stopped the CLSID extension

*.\{*\}

Now I need to figure out a fix for the "BinHex encoding within a MIME
segment"


On Thu, 2004-07-29 at 09:52, Smart,Dan wrote:
> Sorry, the correct URL is testvirus.org
> 
> <<Dan>>
> 
> 
>  
> 
> >  -----Original Message-----
> >  From: esd-l-bounces@spconnect.com 
> >  [mailto:esd-l-bounces@spconnect.com] On Behalf Of Smart,Dan
> >  Sent: Thursday, July 29, 2004 8:47 AM
> >  To: Email Security Discussion list
> >  Subject: [Esd-l] Virustest.org comprehensiveness
> >  
> >  John,
> >  Could you please give me your opinion on the 
> >  comprehensiveness of the testing from virustest.org?  
> >   
> >  
> >  <<Dan>>
> >  _______________________________________________
> >  Esd-l mailing list
> >  Esd-l@spconnect.com
> >  http://www.spconnect.com/mailman/listinfo/esd-l
> _______________________________________________
> Esd-l mailing list
> Esd-l@spconnect.com
> http://www.spconnect.com/mailman/listinfo/esd-l
-- 
Jason Noble <sysadmin@polezero.com>
From jhardin at impsec.org  Thu Jul 29 13:03:04 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] testvirus.org comprehensiveness
In-Reply-To: <1091112087.23149.6.camel@paradox>
Message-ID: <Pine.LNX.4.10.10407291301390.6264-100000@gypsy.impsec.org>

On Thu, 29 Jul 2004, Jason Noble wrote:

> Well adding this to the poisoned files list stopped the CLSID extension
> 
> *.\{*\}

Thanks for the note. CLSIDs have been mangled for a long time but
somehow I neglected to add them to the recommended poison list...

> Now I need to figure out a fix for the "BinHex encoding within a MIME
> segment"
> 
> 
> On Thu, 2004-07-29 at 09:52, Smart,Dan wrote:
> > Sorry, the correct URL is testvirus.org

I'll look when I get home tonight.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires
From scott at dctchambers.com  Thu Jul 29 13:10:43 2004
From: scott at dctchambers.com (Scott Taylor)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] ZIP attachments
Message-ID: <1257.192.168.99.70.1091131843.squirrel@192.168.99.70>

Sorry John, et al,

I'm sure we go through this every time there is an upgrade.  There is no
need for any of my users to receive zip files.  Putting .zip "*.zip" in
the poison list doesn't stop them.  Why not?  To me, it would seem the
logical file to put file names, extenions, snd/or regex's of file names
you don't want to receive.  What else is the poison list good for?

--
Scott
From michael at prismbiz.com  Thu Jul 29 13:54:24 2004
From: michael at prismbiz.com (Mike McCandless)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Order of Email Sanitizer in procmailrc
Message-ID: <11968.143.165.201.47.1091134464.squirrel@143.165.201.47>

In our /etc/procmailrc file (used with Postfix), we invoke the following
in this order:
- email sanitizer
- spamassassin
- clamav

Should it matter if we modify the order in which email sanitizer runs?



----------------------
Mike McCandless
michael@prismbiz.com
From scott at dctchambers.com  Thu Jul 29 14:40:56 2004
From: scott at dctchambers.com (Scott Taylor)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Order of Email Sanitizer in procmailrc
In-Reply-To: <11968.143.165.201.47.1091134464.squirrel@143.165.201.47>
References: <11968.143.165.201.47.1091134464.squirrel@143.165.201.47>
Message-ID: <1674.192.168.99.70.1091137256.squirrel@192.168.99.70>

Mike McCandless said:
> In our /etc/procmailrc file (used with Postfix), we invoke the following
> in this order:
> - email sanitizer
> - spamassassin
> - clamav
>
> Should it matter if we modify the order in which email sanitizer runs?

It matters not, but why subit email to sanitizer if you know it has a virus?

One thing that may matter though, the sanitizer may change a message even
though it is spam, then spamassassin wants to learn that message but it's
been changed from it's original content...then what?  Well, as long as it
is always changed in the same it it shouldn't matter.

I use it in the same order minus the clamav and I have not seen any virus
through in 3+ years and recent SA works at about 98% true, even after the
sanitizer with 0.001% false positives.
From jhardin at impsec.org  Thu Jul 29 17:11:57 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] ZIP attachments
In-Reply-To: <1257.192.168.99.70.1091131843.squirrel@192.168.99.70>
Message-ID: <Pine.LNX.4.10.10407291702320.7312-100000@gypsy.impsec.org>

On Thu, 29 Jul 2004, Scott Taylor wrote:

> Sorry John, et al,
> 
> I'm sure we go through this every time there is an upgrade.  
> There is no need for any of my users to receive zip files.  
> Putting .zip "*.zip" in the poison list doesn't stop them.  Why
> not?  To me, it would seem the logical file to put file names,
> extenions, snd/or regex's of file names you don't want to receive.  
> What else is the poison list good for?

For historical design reasons, the poison and strip lists only apply
to extensions that appear in the mangled-extensions list.

There are exceptions: Office document file extensions and .ZIP are
"special" and can be poisoned or stripped whether or not they appear
in the mangle list. This has yet to be made a general rule, though.

Therefore, you should be able to put "*.zip" in your poisoned-files
list and all messages with .zip attachments *should* be poisoned. I
don't know why it's not working for you.

Can you set DEBUG=Y and send a test message through? You should see
something like this in your log file (per the contents of *your*
poison list, of course):

 Checking ZIP archive "test.zip" for poisoning.
  Checking against ".*\.exe(\?=)?$"
  Checking against ".*\.asd(\?=)?$"
  Checking against ".*\.bat(\?=)?$"
  Checking against ".*\.chm(\?=)?$"
  Checking against ".*\.com(\?=)?$"
  Checking against ".*\.cil(\?=)?$"
  Checking against ".*\.dll(\?=)?$"
  Checking against ".*\.hlp(\?=)?$"
  Checking against ".*\.hta(\?=)?$"
  Checking against ".*\.js(\?=)?$"
  Checking against ".*\.lnk(\?=)?$"
  Checking against ".*\.nws(\?=)?$"
  Checking against ".*\.ocx(\?=)?$"
  Checking against ".*\.pif(\?=)?$"
  Checking against ".*\.reg(\?=)?$"
  Checking against ".*\.scr(\?=)?$"
  Checking against ".*\.sh[bs](\?=)?$"
  Checking against ".*\.vb(\?=)?$"
  Checking against ".*\.vb[se](\?=)?$"
  Checking against ".*\.ws[cfh](\?=)?$"
  Checking against ".*\.[a-z][a-z]\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against ".*\.[a-z][a-z]\s+\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against
".*\.[a-z][a-z][a-z0-9]\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against
".*\.[a-z][a-z][a-z0-9]\s+\.(?=[a-z0-9]+$)(?!(doc$|xls$))"
  Checking against ".*\s+\.exe(\?=)?$"
  Checking against "[0-9]+-i386-update\.exe(\?=)?$"
  Checking against "ie[0-9]+\.exe(\?=)?$"
  Checking against "..*romeo\.exe(\?=)?$"
  Checking against "test\.zip(\?=)?$"
 Trapped poisoned ZIP archive "test.zip".


--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Thu Jul 29 17:17:27 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Order of Email Sanitizer in procmailrc
In-Reply-To: <11968.143.165.201.47.1091134464.squirrel@143.165.201.47>
Message-ID: <Pine.LNX.4.10.10407291712280.7312-100000@gypsy.impsec.org>

On Thu, 29 Jul 2004, Mike McCandless wrote:

> In our /etc/procmailrc file (used with Postfix), we invoke the following
> in this order:
> - email sanitizer
> - spamassassin
> - clamav
> 
> Should it matter if we modify the order in which email sanitizer runs?

In the current order you may want to apply the spamassassin patch
that's on the sanitizer website.

The order of operations is a subject for discussion: which tool
generates the most system load? Which one discards the most messages?

I would say the AV scanner should be last. I think that's the
"heaviest" tool, but I have no numbers to back that up - can anyone
provide any?

I've tried to make the sanitizer as lightweight as possible.
Single-pass, avoid reading entire attachments into memory, etc.

Spamassassin runs a lot of REs across the entire message body and
headers, and can perform DNS lookups.

Personally, I would say the above order is the best. What is
your reason to alter it?

Anybody else care to comment? Anybody have solid performance numbers
on the various tools?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Thu Jul 29 19:22:38 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] testvirus.org comprehensiveness
In-Reply-To: <1091112087.23149.6.camel@paradox>
Message-ID: <Pine.LNX.4.10.10407291919530.7917-100000@gypsy.impsec.org>

On Thu, 29 Jul 2004, Jason Noble wrote:

> Well adding this to the poisoned files list stopped the CLSID extension
> 
> *.\{*\}

I've added this to the recommended poison list:

	*.{[-0-9a-f]+}

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires
From simon at paxonet.com  Fri Jul 30 11:46:35 2004
From: simon at paxonet.com (Simon Matthews)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] Order of Email Sanitizer in procmailrc
In-Reply-To: <Pine.LNX.4.10.10407291712280.7312-100000@gypsy.impsec.org>
References: <11968.143.165.201.47.1091134464.squirrel@143.165.201.47>
Message-ID: <4.3.1.2.20040730113704.00f66a20@coremail>

John,

At 05:17 PM 7/29/04 -0700, John D. Hardin wrote:
>On Thu, 29 Jul 2004, Mike McCandless wrote:
>
> > In our /etc/procmailrc file (used with Postfix), we invoke the following
> > in this order:
> > - email sanitizer
> > - spamassassin
> > - clamav
> >
> > Should it matter if we modify the order in which email sanitizer runs?
>
>In the current order you may want to apply the spamassassin patch
>that's on the sanitizer website.
>
>The order of operations is a subject for discussion: which tool
>generates the most system load? Which one discards the most messages?
>
>Spamassassin runs a lot of REs across the entire message body and
>headers, and can perform DNS lookups.
>
>Anybody else care to comment? Anybody have solid performance numbers
>on the various tools?


I run SA first, then the sanitizer, BUT:
1. Emails that are above a certain size don't get run through SA.
2. SA dumps a huge number of emails into a Spambox (approximately 30-50% of 
ALL emails that are not blocked by RBLs, etc). They are then not virus 
checked -- since the users don't see these, I see little reason to virus 
scan them.

So, whereas the sanitizer would pull out <5% or our emails and quarantine 
then, if SA takes 10 times as many resources, I am still ahead in terms of 
resource usage.

Simon
From michael at prismbiz.com  Fri Jul 30 20:03:05 2004
From: michael at prismbiz.com (Mike McCandless)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] ERR: mimencode failed
Message-ID: <003001c476aa$e6c16b50$6701a8c0@RTP8355>

I get the message "ERR: mimeencode failed" in the procmail log when
receiving MS-Office attachments, although the attachments get there fine.
What is the cause?  A recent example from procmail log is:

Sanitizing MIME & attachments in "Excel Attachment" from
<michael@prismbiz.com> to <michael@prismbiz.com>
msgid=<002601c476aa$12977450$6701a8c0@RTP8355>
 Checking Office document "Expense Report Template.xls" for stripping.
 Checking Office document "Expense Report Template.xls" for stripping.
 ERR: mimencode failed:


The contents of /etc/procmailrc are:

PATH="/usr/bin:$PATH:/usr/local/bin"
SHELL=/bin/sh

STRIPPED_EXECUTABLES=/etc/procmail/stripped-specs
SECRET="a secret"
DISABLE_MACRO_CHECK=
SECURITY_STRIP_MSTNEF=YES
DEFANG_WEBBUGS=YES
SECURITY_NONOTIFY_LONGSUBJECT=YES
SECURITY_POISON_WINEXE=YES

MANGLE_EXTENSIONS="long list of extensions..."

DROPPRIVS=yes
LOGFILE=$HOME/Procmail/log

INCLUDERC=/etc/procmail/local-rules.procmail
INCLUDERC=/etc/procmail/html-trap.procmail


-----------------------------------------------------------------
Mike McCandless
michael@prismbiz.com
From jhardin at impsec.org  Fri Jul 30 21:21:24 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] ERR: mimencode failed
In-Reply-To: <003001c476aa$e6c16b50$6701a8c0@RTP8355>
Message-ID: <Pine.LNX.4.10.10407302117240.14954-100000@gypsy.impsec.org>

On Fri, 30 Jul 2004, Mike McCandless wrote:

> I get the message "ERR: mimeencode failed" in the procmail log when
> receiving MS-Office attachments, although the attachments get there fine.
> What is the cause?  A recent example from procmail log is:
> 
> Sanitizing MIME & attachments in "Excel Attachment" from
> <michael@prismbiz.com> to <michael@prismbiz.com>
> msgid=<002601c476aa$12977450$6701a8c0@RTP8355>
>  Checking Office document "Expense Report Template.xls" for stripping.
>  Checking Office document "Expense Report Template.xls" for stripping.
>  ERR: mimencode failed:

The message means mimencode errored out when asked to decode the
base64 attachment body.

You might be able to get more info if you strip just the base64
attachment out of a message and run the command line that is like what
the sanitizer is running:

	cat /tmp/base64encodedfile | mimencode -u -o /tmp/decoded

The sanitizer isn't capturing any error output from mimencode (the
trailing ":" in the log should be followed by something) - running it
interactively may shed some light.

If you can't figure it out, try using the CPAN support instead.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   45 days until the "Scary-Looking Guns" ban expires
From jhardin at impsec.org  Sat Jul 31 09:46:40 2004
From: jhardin at impsec.org (John D. Hardin)
Date: Mon Dec 26 10:18:45 2005
Subject: [Esd-l] testvirus.org comprehensiveness
In-Reply-To: <8E68F5A27FC613458BF7A9881D959D07DA2E9E@cobhm006.na.vul.com
  >
Message-ID: <Pine.LNX.4.10.10407291917180.7917-100000@gypsy.impsec.org>

On Thu, 29 Jul 2004, Smart,Dan wrote:

> Sorry, the correct URL is testvirus.org
> 
> >  -----Original Message-----
> >  
> >  John,
> >  Could you please give me your opinion on the 
> >  comprehensiveness of the testing from virustest.org?  

Looks interesting, but it's not useful to the sanitizer in some cases
as the sanitizer does not scan for virus content, so there are some
attacks it doesn't even try, such as various odd and uncommon ways to
encode attachment filenames.

It did help me catch a few bugs... Thanks!

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin@impsec.org    FALaholic #11174    pgpk -a jhardin@impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The [assault weapons] ban is the moral equivalent of banning red
  cars because they look too fast.
                                   -- Steve Chapman, Chicago Tribune
-----------------------------------------------------------------------
   46 days until the "Scary-Looking Guns" ban expires