Mailinglist Archive: opensuse-security (601 mails)

< Previous Next >
MFilter Announce (was - weird seccheck-0.9-35 behaviour)
  • From: <nix@xxxxxxxxx>
  • Date: Thu, 03 Aug 2000 22:18:32 -0400
  • Message-id: <965355512.398a27f8a9ac1@xxxxxxxxxxxxxxxxx>
OK guys, it's been over a month since I was asked to submit info about this
but I have been a little busy, anyways, better late than never!
There is now a homepage (sorta..) up at
and a mailing list at mfilter-devel@xxxxxxxxxxxxxxxxxxxxx

Note: This program is stable and running in production at several sites,
there are several "possible" buffer overflows in the source atm. I have not
had a chance to fix them since they were pointed out to me a few days ago by
the programmer at the desk behind me :)

Here is a bit of a description on how it works:

The gateway has a deamon program running called SMTPD that accepts all
incoming email, whether its from inside our network (Exchange Server) or
from outside sources. The STMPD program dumps this email into a folder on
the linux server called INCOMING (/usr/spool/smtpd/incoming).

A different program background job SMTP-VIRUS (usr/sbin/smtp-virus)
periodically checks the INCOMING folder and runs anything it finds in there
through the Linux AVP Virus checker. AVP on Linux is installed in the
/usr/local/avp folder. If the message is virus free, it is then moved to
the SCANNED folder (/usr/spool/smtpd/scanned)

The main SENDMAIL program periodically checks the SCANNED folder, works out
who the messages are destined for, and sends them on to their destination.
This whole process looks to take only 30 seconds or so (depending on the
size of the emails).

If a message in the INCOMING folder is found to be virus infected, it is
instead moved to the BAD folder (/usr/spool/smtpd/bad).
Anything in the BAD folder is scanned again by the program SMTP-BADMAIL
(/usr/sbin/smtp-badmail) to find out exactly what it is infected with. The
same program generates a warning email which goes to the original sender of
the email and also gets copied to the admin account on our exchange box.
The original recipient of the file is not notified. At this point, the
infected email is moved to the BAD_ARCHIVE folder
(/usr/spool/smtpd/bad_archive) where it stays until we delete it.

The basic diagram below gives a good idea of the flow of the process.

SMTP-BADMAIL sends warning emails -> BAD_ARCHIVE

The SMTP-VIRUS and SMTP-BADMAIL programs are perl scripts (equivalent to a
dos batch file), and these can be edited with PICO to make adjustments. If
you wish to change the warning message, it can be found in the smtp-badmail
file (pico /usr/sbin/smtp-badmail).

AVP is set to automatically update itself every 4 hours via the CRON job
/usr/local/avp/ This file connects to a local AVP FTP site and
grabs any files newer than its own, so we are essentially only a few hours
away from the latest update all the time. The file gets its
settings from the /usr/local/avp/avp.pkg text file, which tells it what site
to connect to etc.

Have alot of Fun!!!!!

Peter Nixon
nix@xxxxxxxxx (Note: this is a new address)

> -----Original Message-----
> From: Rainer Link [mailto:link@xxxxxxxxxxxxxxxxxxxx]
> Sent: Friday, 7 July 2000 9:48
> To: Peter Nixon
> Subject: Re: [suse-security] weird seccheck-0.9-35 behaviour
> Peter Nixon wrote:
> Hi!
> Sorry, no answer to your question :-)
> > I am using seccheck-0.9-35 on SuSE 6.4 with all available
> security options
> > and updates.
> > This machine also runs squid,sendmail,smtpd,AVP and BIND
> > 178 ? S 0:00 /bin/su - mail -c /usr/sbin/smtp-virus
> > 191 ? S 0:48 \_ perl /usr/sbin/smtp-virus
> > 5689 ? S 0:00 \_ sh -c /usr/local/avp/AvpLinux
> > /var/spool/smtpd/incoming/smtpdvI0vSs >>
> /var/tmp/smtpdvI0vSs.191/scanlog
> > 5690 ? R 0:00 \_ /usr/local/avp/AvpLinux
> > /var/spool/smtpd/incoming/smtpdvI0vSs
> > 183 ? S 0:02 /usr/sbin/smtpfwdd -u mail -g daemon -d
> > /var/spool/smtpd/scanned
> What's smtp-virus? Is it your own solutions (maybe GPL'ed)? Thanks for
> your information.
> (P.S. If it's GPL I would like to add it to
> best regards,
> Rainer Link
> --
> Rainer Link | Student of Computer Networking
> rainer@xxxxx | University of Applied Sciences, Furtwangen,
> Germany
> |

< Previous Next >
This Thread
Follow Ups