Procmail Sanitizer and ESD-L status report

[John D. Hardin]

Greetings, everyone, and happy new year. I just thought I'd send a
quick note to let everyone know what's going on.

Given the relatively low volume on the ESD-L list, you may not have
noticed that it went completely offline circa last June. :)

Michael Ghens, who runs spconnect.com and who had graciously hosted
the lists for about five years, decided that he was no longer able to
do so. This is, of course, his perogative; I thank him for his
generosity in hosting and maintaining the lists for the time he did.

I was able to obtain the subscriber lists and message archives from
him, and I am in the process of setting them up on a public machine
that I myself control. I have restored the ESD-L archives, which you
can browse at http://www.impsec.org/pipermail/esd-l, but the actual
handling of new messages as a mailing list will take a while longer.

Right now, the <esd-l at impsec.org> email address does work, and does
forward messages to the subscriber list, but it is set up as a regular
email alias. This means you cannot subscribe or unsubscribe, and
messages are not automatically archived, and you cannot yet use the
web interface to manage your account.

I will try to get the lists working properly within the next month.
It's a little more tedious than it otherwise would be because I am
also simultaneously moving my public system (website, email, and DNS)
to the new site, and I'm not going to rush and break something...

I will announce when the lists are again proper mailing lists and
available for general use. For now, I'd like to ask that only really
important messages be posted, as I'm not sure how truly reliable this
temporary setup is.

As for the sanitizer itself, I made a new stable release yesterday
(one release per year means the software is mature! :)

This release has one handy new feature and one important new feature.

The handy new feature is that you can now scan RAR archives the same
as ZIP archives. This has been in the devel snapshot for several
months, but a RAR worm actually dropped into my mailbox a week or so
back I figured it should be released.

The important new feature is the ability to mangle .WMF filenames
(trivial, "WMF" was just added into the default MANGLE list), and to
poison WMF-format image files regardless of what filename they use.
This is, of course, in response to the *major* flaw in Windows' image
processing libraries, and I strongly recommend that you upgrade to the
1.149 sanitizer, ensure your od (octal dump) program supports -N and
-t, and define $SECURITY_POISON_WMF in your config file and add *.WMF
to your poison lists. This one looks BAD. According to F-Secure, 57
different worm and malware programs use this vector.

Finally, I have also added rsync server capabilities to the new
website. You can sync the entire tree by running the following command
in your local mirror directory:

  rsync --archive rsync://rsync.impsec.org/email-tools .

or if you just want a portion of the tree, just extend the path to
include the bit that you want. Please don't synchronize more than
hourly, as that's the schedule I update the website from my
development box. I recommend that once or twice a day is quite often
enough.

If you set up a public mirror this way, please let me know so that I
can add it to the list on the Downloads page.

Please feel free to contact me - I am still here, and I am still
working on the sanitizer, albeit at a much lower level of activity.

Happy new year, everyone.

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------