LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue32/procmail.pr

102 lines
4.5 KiB
Plaintext
Raw Permalink Blame History

From jhardin@wolfenet.com Mon Aug 3 17:17:25 1998
X-Delivered: at request of bin on uncle
Received: from wolfenet.com (root@frapp.wolfe.net [207.178.61.5])
by uncle.ssc.com (8.8.5/8.8.5) with ESMTP id RAA20843
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:17:24 -0700
Received: from gypsy.rubyriver.com (root@sea-e24.wolfenet.com [209.63.211.24])
by wolfenet.com (8.8.8/8.8.8) with ESMTP id RAA22512
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:17:19 -0700 (PDT)
Received: from localhost (jhardin@gypsy.wolfenet.com [127.0.0.1])
by gypsy.rubyriver.com (8.8.8/8.8.8) with SMTP id RAA30779
for <gazette@ssc.com>; Mon, 3 Aug 1998 17:16:47 -0700
Date: Mon, 3 Aug 1998 17:16:45 -0700 (PDT)
From: "John D. Hardin" <jhardin@wolfenet.com>
X-Sender: jhardin@gypsy.rubyriver.com
To: gazette@ssc.com
Subject: ANNOUNCE: Procmail Filters Kit blocks MIME buffer-overflow exploit messages
Message-ID: <Pine.LNX.3.96.980803171559.30772A-100000@gypsy.rubyriver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Status: RO
(For publication as you see fit)
Linux and other *nix admins out there *worldwide* who process email for
anyone using a Windows-based email client should read through this - ISPs
in particular. If your email environment has no Windows desktops, you
don't need to worry (well, at least not about the Outlook Worm... :)
Perhaps MS should rename their email client to "Lookout!!!" >:) [1]
-----------------------------------------------------------------------
A server-side fix for the email security hole in Outlook, Outlook Express,
Netscape Mail (and who knows what other Windows-based email clients)
*does* exist. It is based upon the Procmail email filtering program (which
is installed as the default delivery agent in Redhat Linux). Any Linux or
other *nix system administrator providing email services for Windows users
should consider installing this set of security filters.
This email filtering does nothing to fix the bug itself. Instead, it
prevents users from receiving messages containing an exploit. Corporations
and ISPs can install this software on their email servers and sanitize
email as it is received, before it is even transferred to the end-user's
system to be read. This will give the client vendors time to develop, test
and publish patches, and administrators time to make sure all of their
users (or clients in the case of an ISP) are notified and have their email
clients patched.
The filters package sanitizes the following possible remote exploits and
undesirable behavior:
- MIME attachment filenames longer than 100 characters are truncated to 64
characters. This is short enough to avoid triggering the security hole in
the email client programs, yet should be long enough for real-life
filenames.
- Excessively long "Content-Type:" MIME headers are truncated, preventing
buffer-overflow crashes or exploits in some email clients.
- Executable attachments have their filenames mangled so that they cannot
be executed merely by double-clicking on them; instead they must be saved
and renamed manually. I have had reports of executable attachments
(typically HTML files) being automatically run without user intervention
in some mail clients.
- Active HTML tags in the email body (OBJECT, APPLET, SCRIPT, etc.) are
mangled to prevent their automatic execution. This prevents things like an
email message that, whenever you try to read it, shuts down your email
client, automatically opens a porn site in a browser window, or freezes or
crashes your system.
The Procmail email sanitizing ruleset by itself is available at
ftp://ftp.rubyriver.com/pub/jhardin/antispam/html-trap.procmail
I have also uploaded it to sunsite.unc.edu - it should be available there
shortly.
You can also visit my Procmail Filters Kit web page at
http://www.wolfenet.com/~jhardin/procmail-kit.html
for more details, installation instructions and the full modular anti-spam
filters kit.
For media hype, visit
http://www.sjmercury.com/business/tech/docs/secure080298.htm
[1] I know: old joke. Sorry.
--
John Hardin KA7OHZ jhardin@wolfenet.com
pgpk -a finger://gonzo.wolfenet.com/jhardin PGP key ID: 0x41EA94F5
PGP key fingerprint: A3 0C 5B C2 EF 0D 2C E5 E9 BF C8 33 A7 A9 CE 76
-----------------------------------------------------------------------
Your mouse has moved. Windows NT must be restarted for the change
to take effect. Reboot now? [ OK ]
-----------------------------------------------------------------------
84 days until Daylight Savings Time ends
Reference in New Issue View Git Blame Copy Permalink