Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
Re: [suse-security] MFilter Announce (was - weird seccheck-0.9-35 behaviour)
  • From: Roman Drahtmueller <draht@xxxxxxx>
  • Date: Fri, 4 Aug 2000 14:54:41 +0200 (MEST)
  • Message-id: <Pine.LNX.4.21.0008041442250.2133-100000@xxxxxxxxxxxx>
Peter,

> The gateway has a deamon program running called SMTPD that accepts all
> incoming email, whether its from inside our network (Exchange Server) or
> from outside sources. The STMPD program dumps this email into a folder on
> the linux server called INCOMING (/usr/spool/smtpd/incoming).
>
> A different program background job SMTP-VIRUS (usr/sbin/smtp-virus)
> periodically checks the INCOMING folder and runs anything it finds in there
> through the Linux AVP Virus checker. AVP on Linux is installed in the
> /usr/local/avp folder. If the message is virus free, it is then moved to
> the SCANNED folder (/usr/spool/smtpd/scanned)

There is a generic problem that I find interesting: You "drop" the mail
into the incoming folder/area. Do you make sure that the envelope sender +
recipient addresses get nailed down so that the sendmail following behind
the virus check knows exactly where the email is supposed to be delivered?

You might know that the problem with maildrop mailboxes is that the
recipient address gets lost because there is no necessity to have it in
the header of the mail.

>
> The main SENDMAIL program periodically checks the SCANNED folder, works out
> who the messages are destined for, and sends them on to their destination.
> This whole process looks to take only 30 seconds or so (depending on the
> size of the emails).
>
> If a message in the INCOMING folder is found to be virus infected, it is
> instead moved to the BAD folder (/usr/spool/smtpd/bad).
> Anything in the BAD folder is scanned again by the program SMTP-BADMAIL
> (/usr/sbin/smtp-badmail) to find out exactly what it is infected with. The
> same program generates a warning email which goes to the original sender of
> the email and also gets copied to the admin account on our exchange box.
> The original recipient of the file is not notified. At this point, the

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

A small warning:
Be careful! "Fernmeldegesetz", the German telecommunication law, might
classify this as communication suppression. The penalty for things like
this usually is underestimated, here in Germany as well as elsewhere
(historical reasons?). It might be wise to address a legal professional
with that...


> infected email is moved to the BAD_ARCHIVE folder
> (/usr/spool/smtpd/bad_archive) where it stays until we delete it.
>
> The basic diagram below gives a good idea of the flow of the process.
>
> ALL EMAILS -> SMTPD -> INCOMING FOLDER -> SMTP-VIRUS
> (VIRUS CHECKER) -> VIRUS FREE ->
> SCANNED FOLDER -> DELIVERED TO RECIPIENT VIA SENDMAIL
> |
> --> INFECTED -> BAD FOLDER ->
> SMTP-BADMAIL sends warning emails -> BAD_ARCHIVE
>
>
>
> The SMTP-VIRUS and SMTP-BADMAIL programs are perl scripts (equivalent to a
> dos batch file), and these can be edited with PICO to make adjustments. If
> you wish to change the warning message, it can be found in the smtp-badmail
> file (pico /usr/sbin/smtp-badmail).
>
> AVP is set to automatically update itself every 4 hours via the CRON job
> /usr/local/avp/update.sh. This file connects to a local AVP FTP site and
> grabs any files newer than its own, so we are essentially only a few hours
> away from the latest update all the time. The update.sh file gets its
> settings from the /usr/local/avp/avp.pkg text file, which tells it what site
> to connect to etc.
>
>
> Have alot of Fun!!!!!
>
>
> Peter Nixon
> nix@xxxxxxxxx (Note: this is a new address)


Thanks,
Roman.
--
- -
| Roman Drahtm├╝ller <draht@xxxxxxx> // "Caution: Cape does |
SuSE GmbH - Security Phone: // not enable user to fly."
| N├╝rnberg, Germany +49-911-740530 // (Batman Costume warning label) |
- -



< Previous Next >
This Thread
References