Better late then never - I decided to postpone releasing a new
rev. of the sanitizer after waiting for a few days for replies to
my RFC and not getting any feedback. Things were also developing
on Bugtraq and in other mailtools related projects which prompted
me to make more improvements and squash a few more bugs.
Anyway, the new revision is available on the web. Changes include:
1. added a "feat_force_name" variable, which allows people to
force unnamed MIME parts to get names derived from the part's
2. added a "file_default_name" variable, which allows people to
specify a default file name for unnamed attachments with
unrecognized MIME types. This allows you to add a special rule
to your configuration to handle such attachments.
3. Subject lines are now truncated just like MIME attributes *if*
they appear to contain a file name. The maximum untruncated
length is 128 chars.
4. Fixed whitespace related bugs in MIMEStream.
5. Added LAYER and ILAYER to the list of defanged HTML tags.
Items 1-3 can all help block attaks such as the recent
HTML.dropper attack described on Bugtraq.
Item 5. blocks layer-based attacks against users of web-based
email systems, also discussed on Bugtraq (an exploit against
Hotmail was provided).
Be sure to check the changelog for information about what to
expect from the regression tests (if anyone out there is using
In other news: tomorrow I start my new job, with FRISK Software
International (www.complex.is). They are the makers of the F-Prot
virus scanner, and are one of the few remaining "independant"
virus labs in the world. They also happen to be only 5 minutes
walking distance away from my house. :) I'll be working on
implementing email security systems for them, which my sanitizer
will probably play some important role in. So I'll be working on
bug-fixes and improvements at work instead of in my spare - a
welcome change which should also be good for the sanitizer.
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 firstname.lastname@example.org -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/
-- This mailing list's home page is: http://mailtools.anomy.net/archives/anomy-list/ There you can find subscription instructions and possibly an archive. Molar.is is a free Icelandic mailing list service.