Sendmail configuration

Haloo,

As a result of ILOVEYOU virus.
I would appreciate if anyone could suggest any protection.   Server is Solaris 2.5.1 running Sendmail 8.9.3 (and 8.10.1) (opensource).

1. Is there any AntiVirus that can be intergrated into Sendmail 8.X ?

2. Any sendmail.cf rules (or better the mc) to block reject mail with Attachment, epecially attachment with EXE or VBS extention.

3. The rules posted on http://sendmail.net only trap ILOVEYOU keyword.  How do we make it read a list of keywords (maybe from a file) and trap those.  It seems that the Subject line keeps changing.

Bottom line - any defense that I can take for Sendmail 8.x (8.10.1, and 8.9.3) running on Solaris 2.5.1.  BTW, The machine act as a relay - doesn't have any local user (except a few).

Hope 150pts is sufficient. :)

Thanks in advance

Samri
LVL 15
samriAsked:
Who is Participating?
 
jlevieCommented:
1) Yes there are several anti-virus filters for sendmail. One free one is AMaVis at http://satan.oih.rwth-aachen.de/AMaViS/amavis.html. I've got URL's for others at work and will post them shortly.

2) I don't think you could do it at the cf level, but it's probably possible to do so with a mod to checkcompat at the source level.

3) Yes, you can block multiple variants based on header info. On the same site is an example of how to do so, see http://sendmail.net/?feed=lovemorph
0
 
samriAuthor Commented:
Adjusted points from 100 to 150
0
 
samriAuthor Commented:
Edited text of question.
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

 
samriAuthor Commented:
Adjusted points from 150 to 200
0
 
samriAuthor Commented:
jlevie,

Thanks for a very fast response.  Do you get paid to do this by any chance :)  Just curious.

Anyway, I have checked AMaViS, and I believe that it should work.  The problem is the machine act as a relay, and we have around 10K+ users.  Well I've checked thru the FAQ, and I may consider it as an option most likely.

I'll keep the the option of digging into the source code away at the moment (I don't know C :-(.

And your 3rd suggestion is ... I would say marvellous... And you bet what I have been doing all along... Duplicating the original 6 lines (excluding blank lines) into multiple rules for different Subject keword (pretty dumb huh).  Anyway it worked, but imagine there is 100+ subject variant, it woud be a simpe 600+ lines in your sendmail.cf, and I don't think sendmail would be happy with that.

Perhaps, anybody might have the expertise to turn the keyword (Subject line) into a hash table (BerkeleyDB).  This should speed up the search a little bit.

Well I'll  for your URL, and let the question open for a few more experts to join in.

Thanks a lot.
0
 
samriAuthor Commented:
Edited text of question.
0
 
jlevieCommented:
I wish I got paid for doing it... It's just something I do to try to help

Funny you should mention using an external file for the pattern. That's what I've been thinking of (and starting to put together). I don't think I need a DB as there isn't a key-value relationship. A flat file seems to be the way to go.

I'm having a problem locating the URL's, as I've been a bit remiss in not keeping them up to date as the various sites redo their pages. The ones that I had collected back when Melissa got into the wild now are all dead. That doesn't necessarily mean that the products are gone, just that I can't find them. I'm still looking.
0
 
samriAuthor Commented:
jlevie,

Yes a wish is a wish.  And remember that some wish do comes true buddy.  Maybe not by dollar and cents.

The fact is I've tried using a flat file that contains the "subject line", one line per subject.  It worked!  And the interesting thing is that, it rejects ALL mail.. :) Hahaha...

Anyway, this is what I ended up (following mark durham http://www.sendmail.net).  I couldn't imagine how the rules going to grow.

-------
HSubject: $>Check_Subject
D{MPat}ILOVEYOU
D{MPat2}Important message from
D{MPat3}For You

D{MMsg}This message may contain virus.
SCheck_Subject
R${MPat} $*             $#error $: 550 ${MMsg}
RRe: ${MPat} $*         $#error $: 550 ${MMsg}
R${MPat2} $*            $#error $: 550 ${MMsg}
RRe: ${MPat2} $*        $#error $: 550 ${MMsg}
R${MPat3} $*            $#error $: 550 ${MMsg}
RRe: ${MPat3} $*        $#error $: 550 ${MMsg}          
------

The flat file solution that I tried, is based on the following rules (grabbed somewhere from the net).  

------
F{SpamDomains} /etc/mail/SpamDomains
F{Spammer} /etc/mail/Spammer

Scheck_mail
R<$={Spammer}>          $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R<$={Spammer}.>         $#error $@ 5.7.1 $: "550 This rcpt is banned, contact your local admin."
R$*                     $: $>3 $1
R$*<@$={SpamDomains}.>$*        $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$*<@$={SpamDomains}>$*         $#error $@ 5.7.1 $: "550 This domain is banned, contact your local admin."
R$={Spammer}            $#error $@ 5.7.1 $: "550 We don't accept junk mail"
R$={Spammer}.           $#error $@ 5.7.1 $: "550 We don't accept junk mail"
--------

Any hints, on converting this to a more manageable Subject-Filtering rule?.

How about the link to Anti-Virus (for Unix sendmail), any luck?

I'd really appreciate the help.  Any more takers?

Samri

..
0
 
geotigerCommented:
listening ...
0
 
etdeyCommented:
If you want to scan the body of a message, you could modify the definition of the local delivery agent. You would essentially make the local delivery program (normally mail or mail.local) a shell script or program that parsed the message body looking for attachments/patterns. Messages which passed your tests would be relayed along to the real local delivery agent and bad messages could be trashed.
0
 
samriAuthor Commented:
etdey,

Theoretically yes, that's one way to do it.  But in the actualy implementation, which part of the cf segment do I have to change, or perhaps the respective mc file do I have to modify.

I't getting more complicate than I thought.

jlevie, I'm still waiting for the link to antivirus filters you mentioned.  and how' the external file solution for pattern matching.

samri.
0
 
jlevieCommented:
Sorry for the delay in replying... I've been more busy than usual lately.

It looks like the only "anti-virus" products left are those designed for SMTP pass-through filtering. They work fine if you have a "gateway" box that can run the filter, but aren't suitable if you don't or if you run sendmail on the gateway. So, the only other option seems to be AMaVIS or something similar.

I've decided that I don't particularly care for the way AMaVIS is implemented. It doesn't filter outgoing (at least not without a major kludge) and it runs multiple times if there's a recipient list. Those reasons, along with the desire to provide a more efficent mechanism for scanning Subject headers, have lead me to decide that the correct place to implement virus scanning is directly within sendmail via the checkcompat() facility.

I've implemented code that uses an external file containing "Subject:" signatures and the associated notice and am testing it now. It does require that sendmail be built from sources to be able to use it, but it does the scans the correct way and will catch inbound & outbound occurances as well as only checking the first occurance of a multiple delivery. In the next week or so I intend to extend it to use one of the commercial virus scanners to scan attachments for known viruses. Wanna be a "beta" tester?
0
 
samriAuthor Commented:
jlevie,

  Hmm... I'm almost about the close down question  :).

You are right about the scanning things.  I have tried one product from Trend Micro (forgot the name), and still getting it to work.

Beta tester?  Sure why not?  

What's in it for me?  Any cost?  (heck.. I used to pay USD27.00 for the MSN T-Shirt!

0
 
jlevieCommented:
What it'll cost is for you to send an email to jlevie@bellsouth.net so I can send the code back tou you.
0
 
samriAuthor Commented:
The initial comment actuall solves the problem.

jlevie: thanks for the information.  I'll be looking forward to you codes.


samri
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.