[esd-l] [esa-l] Procmail Sanitizer updates

Karl Dunn kdunn at acm.org
Sat Jul 12 19:09:19 PDT 2014 

On Fri, 11 Jul 2014, John Hardin wrote:

> Folks:
>
> In the immortal words of the peasant in the plague-ridden medieval English
> village: "I'm not dead yet!"
>
> While development of the sanitizer has greatly slowed since 2006, I am
> still using it in production and I am still modifying it from time to
> time as the nature of email and exploits change.
>
> The most recent modification is a change to the Office macro scanner code
> to detect and score Office documents that attempt to download malware off
> the Internet. This change detects an Office document attack I received a
> few days ago that is getting essentially zero antivirus detection at this
> point.
>
> If you are still using the sanitizer, please consider visiting the website
> and downloading the development snapshot. It is stable even though it has
> not been officially released - it's been in continuous production use on
> my mailserver for years.
>
>     http://impsec.org/email-tools/procmail-security.html
>
> And I am still here, please don't hesitate to get in touch.
>
> (Now to see how many unsubscribes this generates...)
>
> --
>  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org    FALaholic #11174     pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> -----------------------------------------------------------------------
>  What nuts do with guns is terrible, certainly. But what evil or crazy
>  people do with *anything* is not a valid argument for banning that
>  item.                            -- John C. Randolph <jcr at idiom.com>
> -----------------------------------------------------------------------
>  5 days until the 69th anniversary of the dawn of the Atomic Age
> _______________________________________________
> esa-l mailing list
> esa-l at impsec.org
> https://www.impsec.org/mailman/listinfo/esa-l
>

Glad to see you are with it still.

Been using html-trap.procmail for at least 15 years, at VMIC for both 
incoming and outgoing email (now GE Embedded Industrial Systems, AFAIK), 
and since I retired in 2002, at home for incoming email.

It caught this recently, after getting through ACM's filter:

   ------=_NextPart_000_002B_01CF18F2.A76B40D0
   Content-Type: TEXT/PLAIN;
   X-Content-Security: [fly.hiwaay.net] QUARANTINE
   Content-Description: SECURITY WARNING


   SECURITY WARNING!

   The mail system has detected that the preceding ZIP archive
   attachment contains suspicious files.
   Do not trust it. Contact your system administrator immediately.

   The suspicious files in the archive are:

     Plaint_Note__Date_24_01_2014.exe

   ------=_NextPart_000_002B_01CF18F2.A76B40D0--

Version being used on my ISP's shell account:

   $Id: html-trap.procmail,v 1.151 2006-01-20 07:29:24-08 jhardin Exp jhardin $

Gonna look at your latest very soon.

Thank you very much indeed!

Karl Dunn
kdunn at acm.org

More information about the esd-l mailing list