From mdm at internet-tools.com  Fri Jul 11 09:53:53 2014
From: mdm at internet-tools.com (mark david mcCreary)
Date: Fri, 11 Jul 2014 11:53:53 -0500
Subject: [esd-l] [esa-l] Procmail Sanitizer updates
In-Reply-To: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
References: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
Message-ID: <17A8B8D5-39EE-4230-8F32-2AAF1B0F9D55@internet-tools.com>


On Jul 11, 2014, at 11:23 AM, John Hardin <jhardin at impsec.org> wrote:

> Folks:
> 
> In the immortal words of the peasant in the plague-ridden medieval English 
> village: "I'm not dead yet!?



John

That?s good to hear and thanks for the blast from the past.

It?s been a while since I?ve used your Sanitizer but I do want to say thanks for making it available.  It was a real help to me.

mark david mcCreary
Houston Texas

From bdhanna at cmrr.umn.edu  Fri Jul 11 11:12:20 2014
From: bdhanna at cmrr.umn.edu (Brian Hanna)
Date: Fri, 11 Jul 2014 13:12:20 -0500
Subject: [esd-l] [esa-l] Procmail Sanitizer updates
In-Reply-To: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
References: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
Message-ID: <CAN9bYWza6ikojL3yS6mo2ugDeRkOthE+smz606rqo3+jfeHW4w@mail.gmail.com>

Agreed - thank you for your generosity. Your sanitizer really helped during
those years I ran a mailserver.

Brian Hanna


On Fri, Jul 11, 2014 at 11:23 AM, John Hardin <jhardin at impsec.org> wrote:

> Folks:
>
> In the immortal words of the peasant in the plague-ridden medieval English
> village: "I'm not dead yet!"
>
> While development of the sanitizer has greatly slowed since 2006, I am
> still using it in production and I am still modifying it from time to
> time as the nature of email and exploits change.
>
> The most recent modification is a change to the Office macro scanner code
> to detect and score Office documents that attempt to download malware off
> the Internet. This change detects an Office document attack I received a
> few days ago that is getting essentially zero antivirus detection at this
> point.
>
> If you are still using the sanitizer, please consider visiting the website
> and downloading the development snapshot. It is stable even though it has
> not been officially released - it's been in continuous production use on
> my mailserver for years.
>
>      http://impsec.org/email-tools/procmail-security.html
>
> And I am still here, please don't hesitate to get in touch.
>
> (Now to see how many unsubscribes this generates...)
>
> --
>   John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>   jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
>   key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>   What nuts do with guns is terrible, certainly. But what evil or crazy
>   people do with *anything* is not a valid argument for banning that
>   item.                            -- John C. Randolph <jcr at idiom.com>
> -----------------------------------------------------------------------
>   5 days until the 69th anniversary of the dawn of the Atomic Age
> _______________________________________________
> esa-l mailing list
> esa-l at impsec.org
> https://www.impsec.org/mailman/listinfo/esa-l
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.impsec.org/pipermail/esd-l/attachments/20140711/32b0c746/attachment.html 

From john.lorimer at gmail.com  Sat Jul 12 17:48:17 2014
From: john.lorimer at gmail.com (John Lorimer)
Date: Sun, 13 Jul 2014 10:48:17 +1000
Subject: [esd-l] [esa-l] Procmail Sanitizer updates
In-Reply-To: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
References: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
Message-ID: <CALT2bPsqp4fCfX=HzjXXhh0Oirz2umVyD19KYw9JQ4xvozzSRA@mail.gmail.com>

On 12 July 2014 02:23, John Hardin <jhardin at impsec.org> wrote:
> Folks:
>
> In the immortal words of the peasant in the plague-ridden medieval English
> village: "I'm not dead yet!"


unsubscribe ? no way !! Procmail - such a great first line of defence.

Just dug into my email archives.. from 2002 :
REPORT: Trapped poisoned executable "midgets.scr"
REPORT: Not a document, or already poisoned by filename. Not scanned for macros.
STATUS: Message quarantined in /var/spool/mail/quarantine, not
delivered to recipient.

:-)

From kdunn at acm.org  Sat Jul 12 19:09:19 2014
From: kdunn at acm.org (Karl Dunn)
Date: Sat, 12 Jul 2014 21:09:19 -0500 (CDT)
Subject: [esd-l] [esa-l] Procmail Sanitizer updates
In-Reply-To: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
References: <alpine.LNX.2.00.1407110914320.3577@athena.impsec.org>
Message-ID: <alpine.LRH.2.03.1407122056350.3880@acm.org>

On Fri, 11 Jul 2014, John Hardin wrote:

> Folks:
>
> In the immortal words of the peasant in the plague-ridden medieval English
> village: "I'm not dead yet!"
>
> While development of the sanitizer has greatly slowed since 2006, I am
> still using it in production and I am still modifying it from time to
> time as the nature of email and exploits change.
>
> The most recent modification is a change to the Office macro scanner code
> to detect and score Office documents that attempt to download malware off
> the Internet. This change detects an Office document attack I received a
> few days ago that is getting essentially zero antivirus detection at this
> point.
>
> If you are still using the sanitizer, please consider visiting the website
> and downloading the development snapshot. It is stable even though it has
> not been officially released - it's been in continuous production use on
> my mailserver for years.
>
>     http://impsec.org/email-tools/procmail-security.html
>
> And I am still here, please don't hesitate to get in touch.
>
> (Now to see how many unsubscribes this generates...)
>
> --
>  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>  What nuts do with guns is terrible, certainly. But what evil or crazy
>  people do with *anything* is not a valid argument for banning that
>  item.                            -- John C. Randolph <jcr at idiom.com>
> -----------------------------------------------------------------------
>  5 days until the 69th anniversary of the dawn of the Atomic Age
> _______________________________________________
> esa-l mailing list
> esa-l at impsec.org
> https://www.impsec.org/mailman/listinfo/esa-l
>

Glad to see you are with it still.

Been using html-trap.procmail for at least 15 years, at VMIC for both 
incoming and outgoing email (now GE Embedded Industrial Systems, AFAIK), 
and since I retired in 2002, at home for incoming email.

It caught this recently, after getting through ACM's filter:

   ------=_NextPart_000_002B_01CF18F2.A76B40D0
   Content-Type: TEXT/PLAIN;
   X-Content-Security: [fly.hiwaay.net] QUARANTINE
   Content-Description: SECURITY WARNING


   SECURITY WARNING!

   The mail system has detected that the preceding ZIP archive
   attachment contains suspicious files.
   Do not trust it. Contact your system administrator immediately.

   The suspicious files in the archive are:

     Plaint_Note__Date_24_01_2014.exe

   ------=_NextPart_000_002B_01CF18F2.A76B40D0--

Version being used on my ISP's shell account:

   $Id: html-trap.procmail,v 1.151 2006-01-20 07:29:24-08 jhardin Exp jhardin $

Gonna look at your latest very soon.

Thank you very much indeed!

Karl Dunn
kdunn at acm.org