Enhancing E-Mail Security With Procmail

the E-mail Sanitizer

Home

Welcome to the home page of the Procmail Email Sanitizer. The Sanitizer is a tool for preventing attacks on your computer's security via email messages. It has proven to be very effective against the latest crop of Microsoft email worms that have gotten so much attention in the popular press.

The Sanitizer's intended audience is administrators of mail systems. It is not generally intended for end users, unless they administer their own mail systems rather then simply telling their mail program to retrieve messages from a mail server administered by someone else.

If you are here because you've gotten a message saying that a piece of mail you sent has been rejected, or because the URL for this website appears in a piece of mail you've received, or because you're wondering why your email attachments are suddenly named DEFANGED, please read this introduction to the Sanitizer - it should answer your questions. Let me know if it doesn't.

Site Index:

Latest news
Introduction
Email threats
Obtaining and installing the Sanitizer
Configuring the Sanitizer
Installing the Sanitizer on an inbound mail relay
Installing the Sanitizer on an outbound mail relay (version I)
the Sanitizer change log
Unmangling mangled attachments
User comments
the Mailing List
Download the current Sanitizer ( version 1.138 )
Download the current Sanitizer tarball
Download the current non-macro-scan Sanitizer
Download the current recommended Poisoned Files list
Download the current sample Local Rules script (signature-based worm identification)
Browse the development area

Filtering Email for Security

Procmail is a program that processes email messages looking for particular information in the headers or body of each message, and takes actions based on what it finds. If you're familiar with the concept of "rules" as provided in many major user mail clients (such as the cc:Mail client), then you are already familiar with the concept of automatically processing email messages based on their content.

This procmail ruleset is specifically designed to "sanitize" your email on the mail server, before your users even attempt to retrieve their messages. It is not intended for end users to install on their Windows desktop systems for personal protection.

News & Notes

The current version of the html-trap.procmail ruleset is: 1.138
It is recommended you update your copy if your version is older, as bugfixes and filtering for newer exploits will have been added. See the history of changes for details.
An announce list for email security issues has been set up. It will primarily carry information on new exploits and updates of the sanitizer. To subscribe, send a message with the subject "subscribe" to esa-l-request@spconnect.com. This is a strongly moderated list for announcements only, not general discussion.
If you want to join the discussion mailing list, send a message with the subject "subscribe" to esd-l-request@spconnect.com. This is a members-only list; to post to it you must join. There is also an archive of messages available.

Click below to receive email when this page changes

...using ChangeDetection:

ChangeDetection privacy statement

If you are getting errors like "sendmail: illegal option -- U" see the configuration page for how to fix it.

If you are experiencing the "Dropped F" problem (where the "F" in the leading "From" in the message is being deleted), please note: this is a known problem in procmail. It may be fixed in the current release, you may want to upgrade. The problem occurs when a filter action returns an error. In that situation procmail may lose the first byte of the message. MAKE SURE your log file has 622 permissions. Also, here is a short rule that will help clean it up, add it to the end of your /etc/procmailrc file.

I have regained access to the ftp.rubyriver.com mirror and it is now being maintained.

Development of the 2.0 sanitizer has begun. The planned feature list looks something like this:

Policy-file-based attachment handling ($MANGLE_EXTENSIONS goes away)
Internationalization support via GNU gettext or something similar
Proper handling of encoded filenames
Folding the header-length and HTML-defanging code into the main perl script, to minimize perl process initializations
The perl script will be separated out (no longer inline)
Moving from mimencode and mktemp to MIME::Base64 and File::MkTemp
Logging into the message itself (adding a new MIME text attachment listing what happened during the sanitization) with the ability to add site-specific note files
Peering into MS-TNEF attachments. I hope to have full policy and macro scanning support, but the policy will probably have to be applied to the MS-TNEF attachment in toto (e.g. if one part of it is to be stripped, the entire thing gets stripped).
Optional de-BASE64ing of text and HTML attachments, so that they can be subject to spam filtering after the sanitizer.

Beta announcements will be made to the mailing list.

I've decided to delay moving over to the Anomy project until after a stable 2.x sanitizer ships, for various reasons including the feeling that there should be alternative solutions available.

I can be contacted at <jhardin@impsec.org> - you could also visit my home page.

Several people have asked me why I don't charge for this package. I suppose this is primarily due to the fact that I don't think anybody should be exposed to these attacks simply because they don't want to or can't afford to buy something to protect themselves, but it also has to do with the fact that I view this as an interesting intellectual challenge, a way to gain recognition, and a way to give back to the community.
However, if you feel like paying for receiving something of value that has improved your life, then feel free to send me a donation via PayPal, and lament that nobody's done TequilaPal yet.