Solved

Sendmail configuration

Posted on 2000-05-09
15
481 Views
Last Modified: 2013-12-27
Haloo,

As a result of ILOVEYOU virus.
I would appreciate if anyone could suggest any protection.   Server is Solaris 2.5.1 running Sendmail 8.9.3 (and 8.10.1) (opensource).

1. Is there any AntiVirus that can be intergrated into Sendmail 8.X ?

2. Any sendmail.cf rules (or better the mc) to block reject mail with Attachment, epecially attachment with EXE or VBS extention.

3. The rules posted on http://sendmail.net only trap ILOVEYOU keyword.  How do we make it read a list of keywords (maybe from a file) and trap those.  It seems that the Subject line keeps changing.

Bottom line - any defense that I can take for Sendmail 8.x (8.10.1, and 8.9.3) running on Solaris 2.5.1.  BTW, The machine act as a relay - doesn't have any local user (except a few).

Hope 150pts is sufficient. :)

Thanks in advance

Samri
0
Comment
Question by:samri
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 15

Author Comment

by:samri
ID: 2791825
Adjusted points from 100 to 150
0
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 2792249
1) Yes there are several anti-virus filters for sendmail. One free one is AMaVis at http://satan.oih.rwth-aachen.de/AMaViS/amavis.html. I've got URL's for others at work and will post them shortly.

2) I don't think you could do it at the cf level, but it's probably possible to do so with a mod to checkcompat at the source level.

3) Yes, you can block multiple variants based on header info. On the same site is an example of how to do so, see http://sendmail.net/?feed=lovemorph
0
 
LVL 15

Author Comment

by:samri
ID: 2792253
Edited text of question.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 15

Author Comment

by:samri
ID: 2792356
Adjusted points from 150 to 200
0
 
LVL 15

Author Comment

by:samri
ID: 2792357
jlevie,

Thanks for a very fast response.  Do you get paid to do this by any chance :)  Just curious.

Anyway, I have checked AMaViS, and I believe that it should work.  The problem is the machine act as a relay, and we have around 10K+ users.  Well I've checked thru the FAQ, and I may consider it as an option most likely.

I'll keep the the option of digging into the source code away at the moment (I don't know C :-(.

And your 3rd suggestion is ... I would say marvellous... And you bet what I have been doing all along... Duplicating the original 6 lines (excluding blank lines) into multiple rules for different Subject keword (pretty dumb huh).  Anyway it worked, but imagine there is 100+ subject variant, it woud be a simpe 600+ lines in your sendmail.cf, and I don't think sendmail would be happy with that.

Perhaps, anybody might have the expertise to turn the keyword (Subject line) into a hash table (BerkeleyDB).  This should speed up the search a little bit.

Well I'll  for your URL, and let the question open for a few more experts to join in.

Thanks a lot.
0
 
LVL 15

Author Comment

by:samri
ID: 2792383
Edited text of question.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2795327
I wish I got paid for doing it... It's just something I do to try to help

Funny you should mention using an external file for the pattern. That's what I've been thinking of (and starting to put together). I don't think I need a DB as there isn't a key-value relationship. A flat file seems to be the way to go.

I'm having a problem locating the URL's, as I've been a bit remiss in not keeping them up to date as the various sites redo their pages. The ones that I had collected back when Melissa got into the wild now are all dead. That doesn't necessarily mean that the products are gone, just that I can't find them. I'm still looking.
0
 
LVL 15

Author Comment

by:samri
ID: 2795475
jlevie,

Yes a wish is a wish.  And remember that some wish do comes true buddy.  Maybe not by dollar and cents.

The fact is I've tried using a flat file that contains the "subject line", one line per subject.  It worked!  And the interesting thing is that, it rejects ALL mail.. :) Hahaha...

Anyway, this is what I ended up (following mark durham http://www.sendmail.net).  I couldn't imagine how the rules going to grow.

-------
HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MPat2}Important message from
D{MPat3}For You

D{MMsg}This message may contain virus.
SCheck_Subject
R${MPat} $*             $#error $: 550 ${MMsg}
RRe: ${MPat} $*         $#error $: 550 ${MMsg}
R${MPat2} $*            $#error $: 550 ${MMsg}
RRe: ${MPat2} $*        $#error $: 550 ${MMsg}
R${MPat3} $*            $#error $: 550 ${MMsg}
RRe: ${MPat3} $*        $#error $: 550 ${MMsg}          
------

The flat file solution that I tried, is based on the following rules (grabbed somewhere from the net).  

------
F{SpamDomains} /etc/mail/SpamDomains
F{Spammer} /etc/mail/Spammer

Scheck_mail
R<$={Spammer}>          $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R<$={Spammer}.>         $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R$*                     $: $>3 $1
R$*<@$={SpamDomains}.>$*        $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$*<@$={SpamDomains}>$*         $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$={Spammer}            $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$={Spammer}.           $#error $@ 5.7.1 $: "550 We don't accept junk mail"
--------

Any hints, on converting this to a more manageable Subject-Filtering rule?.

How about the link to Anti-Virus (for Unix sendmail), any luck?

I'd really appreciate the help.  Any more takers?

Samri

..
0
 
LVL 12

Expert Comment

by:geotiger
ID: 2803087
listening ...
0
 

Expert Comment

by:etdey
ID: 2805421
If you want to scan the body of a message, you could modify the definition of the local delivery agent. You would essentially make the local delivery program (normally mail or mail.local) a shell script or program that parsed the message body looking for attachments/patterns. Messages which passed your tests would be relayed along to the real local delivery agent and bad messages could be trashed.
0
 
LVL 15

Author Comment

by:samri
ID: 2809548
etdey,

Theoretically yes, that's one way to do it.  But in the actualy implementation, which part of the cf segment do I have to change, or perhaps the respective mc file do I have to modify.

I't getting more complicate than I thought.

jlevie, I'm still waiting for the link to antivirus filters you mentioned.  and how' the external file solution for pattern matching.

samri.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2819077
Sorry for the delay in replying... I've been more busy than usual lately.

It looks like the only "anti-virus" products left are those designed for SMTP pass-through filtering. They work fine if you have a "gateway" box that can run the filter, but aren't suitable if you don't or if you run sendmail on the gateway. So, the only other option seems to be AMaVIS or something similar.

I've decided that I don't particularly care for the way AMaVIS is implemented. It doesn't filter outgoing (at least not without a major kludge) and it runs multiple times if there's a recipient list. Those reasons, along with the desire to provide a more efficent mechanism for scanning Subject headers, have lead me to decide that the correct place to implement virus scanning is directly within sendmail via the checkcompat() facility.

I've implemented code that uses an external file containing "Subject:" signatures and the associated notice and am testing it now. It does require that sendmail be built from sources to be able to use it, but it does the scans the correct way and will catch inbound & outbound occurances as well as only checking the first occurance of a multiple delivery. In the next week or so I intend to extend it to use one of the commercial virus scanners to scan attachments for known viruses. Wanna be a "beta" tester?
0
 
LVL 15

Author Comment

by:samri
ID: 2826770
jlevie,

  Hmm... I'm almost about the close down question  :).

You are right about the scanning things.  I have tried one product from Trend Micro (forgot the name), and still getting it to work.

Beta tester?  Sure why not?  

What's in it for me?  Any cost?  (heck.. I used to pay USD27.00 for the MSN T-Shirt!

0
 
LVL 40

Expert Comment

by:jlevie
ID: 2830835
What it'll cost is for you to send an email to jlevie@bellsouth.net so I can send the code back tou you.
0
 
LVL 15

Author Comment

by:samri
ID: 2832734
The initial comment actuall solves the problem.

jlevie: thanks for the information.  I'll be looking forward to you codes.


samri
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CPU monthly average? 12 150
Problem Imaging Computers With Clonezilla 2 104
SSH commands for Nas4free 21 545
Linux : taking backup different mount points under the same directory 8 132
A metadevice consists of one or more devices (slices). It can be expanded by adding slices. Then, it can be grown to fill a larger space while the file system is in use. However, not all UNIX file systems (UFS) can be expanded this way. The conca…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.
Suggested Courses

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question