As promised, I've released a new revision of the Sanitizer. It's
on the web site as usual: http://mailtools.anomy.net/dist/
I recommend that anyone using a previous release of the Sanitizer
upgrade as soon as possible, as this release contains a rather large
number of improvements and bugfixes.
- Added built-in support for F-Prot Antivirus for Linux, both the
small-business and enterprise versions. The default Sanitizer
configuration will now virus-scan all attachments using the
command-line version of F-Prot, if it's available (if
/usr/local/bin/f-prot exists). See the Changelog for more
- The message/partial MIME-type is defanged by default, to protect
against the fragmented-message attacks being discussed lately. This
can be disabled by setting "feat_no_partial = 0".
- For those who which to let message/partial messages through, there
is now support for scannig the first part as if it were a
message/rfc822 message. This means any security risks present in
the *first part* will be defanged, but security problems in
subsequent parts will probably still slip through.
- Added protection against MIME recursion DoS attacks - the previous
versions of the Sanitizer could be made to consume horrid amounts
of memory if when sent heavily nested MIME messages. This could
happen accidentally when mailer-daemons got stuck in endless loops.
The HTML cleaner module has been updated as well, to revision 1.16.
-- Bjarni R. Einarsson PGP: 02764305, B7A3AB89 firstname.lastname@example.org -><- http://bre.klaki.net/
Check out my open-source email sanitizer: http://mailtools.anomy.net/ Spammers, please send plenty of email to: email@example.com