Solved

Sendmail configuration

Posted on 2000-05-09
15
475 Views
Last Modified: 2013-12-27
Haloo,

As a result of ILOVEYOU virus.
I would appreciate if anyone could suggest any protection.   Server is Solaris 2.5.1 running Sendmail 8.9.3 (and 8.10.1) (opensource).

1. Is there any AntiVirus that can be intergrated into Sendmail 8.X ?

2. Any sendmail.cf rules (or better the mc) to block reject mail with Attachment, epecially attachment with EXE or VBS extention.

3. The rules posted on http://sendmail.net only trap ILOVEYOU keyword.  How do we make it read a list of keywords (maybe from a file) and trap those.  It seems that the Subject line keeps changing.

Bottom line - any defense that I can take for Sendmail 8.x (8.10.1, and 8.9.3) running on Solaris 2.5.1.  BTW, The machine act as a relay - doesn't have any local user (except a few).

Hope 150pts is sufficient. :)

Thanks in advance

Samri
0
Comment
Question by:samri
15 Comments
 
LVL 15

Author Comment

by:samri
ID: 2791825
Adjusted points from 100 to 150
0
 
LVL 40

Accepted Solution

by:
jlevie earned 200 total points
ID: 2792249
1) Yes there are several anti-virus filters for sendmail. One free one is AMaVis at http://satan.oih.rwth-aachen.de/AMaViS/amavis.html. I've got URL's for others at work and will post them shortly.

2) I don't think you could do it at the cf level, but it's probably possible to do so with a mod to checkcompat at the source level.

3) Yes, you can block multiple variants based on header info. On the same site is an example of how to do so, see http://sendmail.net/?feed=lovemorph
0
 
LVL 15

Author Comment

by:samri
ID: 2792253
Edited text of question.
0
 
LVL 15

Author Comment

by:samri
ID: 2792356
Adjusted points from 150 to 200
0
 
LVL 15

Author Comment

by:samri
ID: 2792357
jlevie,

Thanks for a very fast response.  Do you get paid to do this by any chance :)  Just curious.

Anyway, I have checked AMaViS, and I believe that it should work.  The problem is the machine act as a relay, and we have around 10K+ users.  Well I've checked thru the FAQ, and I may consider it as an option most likely.

I'll keep the the option of digging into the source code away at the moment (I don't know C :-(.

And your 3rd suggestion is ... I would say marvellous... And you bet what I have been doing all along... Duplicating the original 6 lines (excluding blank lines) into multiple rules for different Subject keword (pretty dumb huh).  Anyway it worked, but imagine there is 100+ subject variant, it woud be a simpe 600+ lines in your sendmail.cf, and I don't think sendmail would be happy with that.

Perhaps, anybody might have the expertise to turn the keyword (Subject line) into a hash table (BerkeleyDB).  This should speed up the search a little bit.

Well I'll  for your URL, and let the question open for a few more experts to join in.

Thanks a lot.
0
 
LVL 15

Author Comment

by:samri
ID: 2792383
Edited text of question.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2795327
I wish I got paid for doing it... It's just something I do to try to help

Funny you should mention using an external file for the pattern. That's what I've been thinking of (and starting to put together). I don't think I need a DB as there isn't a key-value relationship. A flat file seems to be the way to go.

I'm having a problem locating the URL's, as I've been a bit remiss in not keeping them up to date as the various sites redo their pages. The ones that I had collected back when Melissa got into the wild now are all dead. That doesn't necessarily mean that the products are gone, just that I can't find them. I'm still looking.
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 15

Author Comment

by:samri
ID: 2795475
jlevie,

Yes a wish is a wish.  And remember that some wish do comes true buddy.  Maybe not by dollar and cents.

The fact is I've tried using a flat file that contains the "subject line", one line per subject.  It worked!  And the interesting thing is that, it rejects ALL mail.. :) Hahaha...

Anyway, this is what I ended up (following mark durham http://www.sendmail.net).  I couldn't imagine how the rules going to grow.

-------
HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MPat2}Important message from
D{MPat3}For You

D{MMsg}This message may contain virus.
SCheck_Subject
R${MPat} $*             $#error $: 550 ${MMsg}
RRe: ${MPat} $*         $#error $: 550 ${MMsg}
R${MPat2} $*            $#error $: 550 ${MMsg}
RRe: ${MPat2} $*        $#error $: 550 ${MMsg}
R${MPat3} $*            $#error $: 550 ${MMsg}
RRe: ${MPat3} $*        $#error $: 550 ${MMsg}          
------

The flat file solution that I tried, is based on the following rules (grabbed somewhere from the net).  

------
F{SpamDomains} /etc/mail/SpamDomains
F{Spammer} /etc/mail/Spammer

Scheck_mail
R<$={Spammer}>          $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R<$={Spammer}.>         $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R$*                     $: $>3 $1
R$*<@$={SpamDomains}.>$*        $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$*<@$={SpamDomains}>$*         $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$={Spammer}            $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$={Spammer}.           $#error $@ 5.7.1 $: "550 We don't accept junk mail"
--------

Any hints, on converting this to a more manageable Subject-Filtering rule?.

How about the link to Anti-Virus (for Unix sendmail), any luck?

I'd really appreciate the help.  Any more takers?

Samri

..
0
 
LVL 12

Expert Comment

by:geotiger
ID: 2803087
listening ...
0
 

Expert Comment

by:etdey
ID: 2805421
If you want to scan the body of a message, you could modify the definition of the local delivery agent. You would essentially make the local delivery program (normally mail or mail.local) a shell script or program that parsed the message body looking for attachments/patterns. Messages which passed your tests would be relayed along to the real local delivery agent and bad messages could be trashed.
0
 
LVL 15

Author Comment

by:samri
ID: 2809548
etdey,

Theoretically yes, that's one way to do it.  But in the actualy implementation, which part of the cf segment do I have to change, or perhaps the respective mc file do I have to modify.

I't getting more complicate than I thought.

jlevie, I'm still waiting for the link to antivirus filters you mentioned.  and how' the external file solution for pattern matching.

samri.
0
 
LVL 40

Expert Comment

by:jlevie
ID: 2819077
Sorry for the delay in replying... I've been more busy than usual lately.

It looks like the only "anti-virus" products left are those designed for SMTP pass-through filtering. They work fine if you have a "gateway" box that can run the filter, but aren't suitable if you don't or if you run sendmail on the gateway. So, the only other option seems to be AMaVIS or something similar.

I've decided that I don't particularly care for the way AMaVIS is implemented. It doesn't filter outgoing (at least not without a major kludge) and it runs multiple times if there's a recipient list. Those reasons, along with the desire to provide a more efficent mechanism for scanning Subject headers, have lead me to decide that the correct place to implement virus scanning is directly within sendmail via the checkcompat() facility.

I've implemented code that uses an external file containing "Subject:" signatures and the associated notice and am testing it now. It does require that sendmail be built from sources to be able to use it, but it does the scans the correct way and will catch inbound & outbound occurances as well as only checking the first occurance of a multiple delivery. In the next week or so I intend to extend it to use one of the commercial virus scanners to scan attachments for known viruses. Wanna be a "beta" tester?
0
 
LVL 15

Author Comment

by:samri
ID: 2826770
jlevie,

  Hmm... I'm almost about the close down question  :).

You are right about the scanning things.  I have tried one product from Trend Micro (forgot the name), and still getting it to work.

Beta tester?  Sure why not?  

What's in it for me?  Any cost?  (heck.. I used to pay USD27.00 for the MSN T-Shirt!

0
 
LVL 40

Expert Comment

by:jlevie
ID: 2830835
What it'll cost is for you to send an email to jlevie@bellsouth.net so I can send the code back tou you.
0
 
LVL 15

Author Comment

by:samri
ID: 2832734
The initial comment actuall solves the problem.

jlevie: thanks for the information.  I'll be looking forward to you codes.


samri
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hello fellow BSD lovers, I've created a patch process for patching openjdk6 for BSD (FreeBSD specifically), although I tried to keep all BSD versions in mind when creating my patch. Welcome to OpenJDK6 on BSD First let me start with a little …
Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now