Release Notes: This release adds Microsoft Office Suite VBE buffer overflow attacks (8/31 EEYE alert) to the Microsoft Office file attachment macro scanner, and trapping attacks on other recent Outlook and Sendmail bugs. There are other minor improvements.
Release Notes: This release fixes a minor security bug and a missed MIME type mangle. Configuration of Office embedded-link scoring has been added.
Release Notes: A bug in filename shortening that broke older Perl versions has been fixed. MIME mangling has been changed away from TEXT/PLAIN, as some mailers perform text-related operations on that MIME type, corrupting the attachments.
Release Notes: CPL (Control Panel applet) and WSZ (scriptable WinAmp skin) have been added to the default list of executable extensions. Extension only filenames are handled properly. HTML encoded multibyte characters are not corrupted. Runs of spaces in filenames are collapsed before length limiting. Original extensions are not lost during length limiting. A kill-all-EXEs option has been added to check the base64 body for Windows .exe magic. MSWord INCLUDETEXT and INCLUDEPICTURE are detected as an attack by the macro scanner. There is a special case for sender detection in messages from AOL.
Release Notes: Improved the sender address checking to better avoid notifying forged sender addresses, and fixed the quoting of unquoted attachment filenames that have embedded semicolons. Improved active HTML defanging a bit, improved customizability, and made other minor improvements and bugfixes.
Release Notes: More configuration options were added in this release to ease use with non-sendmail MTAs. There is improved handling of maliciously encoded attachment filenames and Windows-specific attachment filename trickery, a workaround for a memory bug in Procmail 3.22, and other minor bugfixes and enhancements.
Release Notes: A fix for a bug in handling certain recursive multipart MIME attachments (as used in a recent worm variant), and other minor feature enhancements.
Release Notes: Two bugs that allowed some messages to bypass attachment sanitizing have been fixed. Attachment stripping has been added, as well as many other minor capability enhancements and bugfixes.
Release Notes: This release is smaller, and should now work on AIX. There are more customization options. Handling of CLSID filenames has been added.
Release Notes: Now detects and truncates "Subject:" headers longer then 250 characters, to protect Outlook Express users. VCF and NWS added to the default MANGLE_EXTENSIONS list. Only defangs HTML in message body, to avoid defanging email addresses like "< firstname.lastname@example.org >". Changed macro scanner to allow detailed reporting of what it finds; if you add SCORE_DETAILS=YES to your sanitizer configuration, the sanitizer will now tell you why it is considering a document to be poisoned. Modified macro score logging to include the recipient name. Changed default filename to "default.txt" to try to force Windows to treat it safely. Fixed the REPORT bug from 1.128.