MFilter Announce (was - weird seccheck-0.9-35 behaviour)
OK guys, it's been over a month since I was asked to submit info about this script, but I have been a little busy, anyways, better late than never! There is now a homepage (sorta..) up at http://sourceforge.net/project/?group_id=5609 and a mailing list at mfilter-devel@lists.sourceforge.net Note: This program is stable and running in production at several sites, however there are several "possible" buffer overflows in the source atm. I have not had a chance to fix them since they were pointed out to me a few days ago by the programmer at the desk behind me :) Here is a bit of a description on how it works: The gateway has a deamon program running called SMTPD that accepts all incoming email, whether its from inside our network (Exchange Server) or from outside sources. The STMPD program dumps this email into a folder on the linux server called INCOMING (/usr/spool/smtpd/incoming). A different program background job SMTP-VIRUS (usr/sbin/smtp-virus) periodically checks the INCOMING folder and runs anything it finds in there through the Linux AVP Virus checker. AVP on Linux is installed in the /usr/local/avp folder. If the message is virus free, it is then moved to the SCANNED folder (/usr/spool/smtpd/scanned) The main SENDMAIL program periodically checks the SCANNED folder, works out who the messages are destined for, and sends them on to their destination. This whole process looks to take only 30 seconds or so (depending on the size of the emails). If a message in the INCOMING folder is found to be virus infected, it is instead moved to the BAD folder (/usr/spool/smtpd/bad). Anything in the BAD folder is scanned again by the program SMTP-BADMAIL (/usr/sbin/smtp-badmail) to find out exactly what it is infected with. The same program generates a warning email which goes to the original sender of the email and also gets copied to the admin account on our exchange box. The original recipient of the file is not notified. At this point, the infected email is moved to the BAD_ARCHIVE folder (/usr/spool/smtpd/bad_archive) where it stays until we delete it. The basic diagram below gives a good idea of the flow of the process. ALL EMAILS -> SMTPD -> INCOMING FOLDER -> SMTP-VIRUS (VIRUS CHECKER) -> VIRUS FREE -> SCANNED FOLDER -> DELIVERED TO RECIPIENT VIA SENDMAIL | --> INFECTED -> BAD FOLDER -> SMTP-BADMAIL sends warning emails -> BAD_ARCHIVE The SMTP-VIRUS and SMTP-BADMAIL programs are perl scripts (equivalent to a dos batch file), and these can be edited with PICO to make adjustments. If you wish to change the warning message, it can be found in the smtp-badmail file (pico /usr/sbin/smtp-badmail). AVP is set to automatically update itself every 4 hours via the CRON job /usr/local/avp/update.sh. This file connects to a local AVP FTP site and grabs any files newer than its own, so we are essentially only a few hours away from the latest update all the time. The update.sh file gets its settings from the /usr/local/avp/avp.pkg text file, which tells it what site to connect to etc. Have alot of Fun!!!!! Peter Nixon nix@cotse.com (Note: this is a new address)
-----Original Message----- From: Rainer Link [mailto:link@foo.fh-furtwangen.de] Sent: Friday, 7 July 2000 9:48 To: Peter Nixon Subject: Re: [suse-security] weird seccheck-0.9-35 behaviour
Peter Nixon wrote:
Hi!
Sorry, no answer to your question :-)
I am using seccheck-0.9-35 on SuSE 6.4 with all available security options and updates. This machine also runs squid,sendmail,smtpd,AVP and BIND
178 ? S 0:00 /bin/su - mail -c /usr/sbin/smtp-virus 191 ? S 0:48 \_ perl /usr/sbin/smtp-virus 5689 ? S 0:00 \_ sh -c /usr/local/avp/AvpLinux /var/spool/smtpd/incoming/smtpdvI0vSs >> /var/tmp/smtpdvI0vSs.191/scanlog 5690 ? R 0:00 \_ /usr/local/avp/AvpLinux /var/spool/smtpd/incoming/smtpdvI0vSs 183 ? S 0:02 /usr/sbin/smtpfwdd -u mail -g daemon -d /var/spool/smtpd/scanned
What's smtp-virus? Is it your own solutions (maybe GPL'ed)? Thanks for your information. (P.S. If it's GPL I would like to add it to lavp.sourceforge.net)
best regards, Rainer Link -- Rainer Link | Student of Computer Networking
rainer@w3.to | University of Applied Sciences, Furtwangen, Germany rainer.w3.to | http://www.computer-networking.de/
Peter,
The gateway has a deamon program running called SMTPD that accepts all incoming email, whether its from inside our network (Exchange Server) or from outside sources. The STMPD program dumps this email into a folder on the linux server called INCOMING (/usr/spool/smtpd/incoming).
A different program background job SMTP-VIRUS (usr/sbin/smtp-virus) periodically checks the INCOMING folder and runs anything it finds in there through the Linux AVP Virus checker. AVP on Linux is installed in the /usr/local/avp folder. If the message is virus free, it is then moved to the SCANNED folder (/usr/spool/smtpd/scanned)
There is a generic problem that I find interesting: You "drop" the mail into the incoming folder/area. Do you make sure that the envelope sender + recipient addresses get nailed down so that the sendmail following behind the virus check knows exactly where the email is supposed to be delivered? You might know that the problem with maildrop mailboxes is that the recipient address gets lost because there is no necessity to have it in the header of the mail.
The main SENDMAIL program periodically checks the SCANNED folder, works out who the messages are destined for, and sends them on to their destination. This whole process looks to take only 30 seconds or so (depending on the size of the emails).
If a message in the INCOMING folder is found to be virus infected, it is instead moved to the BAD folder (/usr/spool/smtpd/bad). Anything in the BAD folder is scanned again by the program SMTP-BADMAIL (/usr/sbin/smtp-badmail) to find out exactly what it is infected with. The same program generates a warning email which goes to the original sender of the email and also gets copied to the admin account on our exchange box. The original recipient of the file is not notified. At this point, the
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ A small warning: Be careful! "Fernmeldegesetz", the German telecommunication law, might classify this as communication suppression. The penalty for things like this usually is underestimated, here in Germany as well as elsewhere (historical reasons?). It might be wise to address a legal professional with that...
infected email is moved to the BAD_ARCHIVE folder (/usr/spool/smtpd/bad_archive) where it stays until we delete it.
The basic diagram below gives a good idea of the flow of the process.
ALL EMAILS -> SMTPD -> INCOMING FOLDER -> SMTP-VIRUS (VIRUS CHECKER) -> VIRUS FREE -> SCANNED FOLDER -> DELIVERED TO RECIPIENT VIA SENDMAIL | --> INFECTED -> BAD FOLDER -> SMTP-BADMAIL sends warning emails -> BAD_ARCHIVE
The SMTP-VIRUS and SMTP-BADMAIL programs are perl scripts (equivalent to a dos batch file), and these can be edited with PICO to make adjustments. If you wish to change the warning message, it can be found in the smtp-badmail file (pico /usr/sbin/smtp-badmail).
AVP is set to automatically update itself every 4 hours via the CRON job /usr/local/avp/update.sh. This file connects to a local AVP FTP site and grabs any files newer than its own, so we are essentially only a few hours away from the latest update all the time. The update.sh file gets its settings from the /usr/local/avp/avp.pkg text file, which tells it what site to connect to etc.
Have alot of Fun!!!!!
Peter Nixon nix@cotse.com (Note: this is a new address)
Thanks, Roman. -- - - | Roman Drahtmüller <draht@suse.de> // "Caution: Cape does | SuSE GmbH - Security Phone: // not enable user to fly." | Nürnberg, Germany +49-911-740530 // (Batman Costume warning label) | - -
participants (2)
-
nix@cotse.com -
Roman Drahtmueller