Anybody patching Sendmail to filter _attachments_?
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that. Anybody else working on this already? -Bill
Granted, I am not a sendmail.cf guru, I don't see anyway for sendmail to detect attachement, let alone their names. I only see header stuff as available for tinkering.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Bill Woodcock Sent: Monday, May 08, 2000 9:50 AM To: nanog@nanog.org Subject: Anybody patching Sendmail to filter _attachments_?
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Anybody else working on this already?
-Bill
> Granted, I am not a sendmail.cf guru, I don't see anyway for > sendmail to detect attachement, let alone their names. I only see > header stuff as available for tinkering. That's true... It's my assumption that any patches out there to do this would need to hook into the external delivery agent portion of sendmail... That is, act like a UUCP delivery agent, for example, and then retransmit out to the user's local mailserver. One person forwarded me information about a procmail-based solution. -Bill
"Roeland Meyer (E-mail)" wrote:
Granted, I am not a sendmail.cf guru, I don't see anyway for sendmail to >detect attachement, let alone their names. I only see header stuff as >available for tinkering.
sendmail 8.10.x has an API and filter library which permits filtering of messages as they pass through the sendmail MTA. Implementing a filter package which implements excision of .vbs files from messages certainly seems like a good use for this facility.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Bill Woodcock Sent: Monday, May 08, 2000 9:50 AM To: nanog@nanog.org Subject: Anybody patching Sendmail to filter _attachments_?
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Anybody else working on this already?
-Bill
-- ----------------------------------------------------------------- Daniel Senie dts@senie.com Amaranth Networks Inc. http://www.amaranth.com
In message <003b01bfb90f$c535f940$eaaf6cc7@PEREGRIN>, "Roeland Meyer (E-mail)" writes:
Granted, I am not a sendmail.cf guru, I don't see anyway for sendmail to detec t attachement, let alone their names. I only see header stuff as available fo r tinkering.
It would not be straightforward but the obvious place to catch attachments is in collect() in collect.c The challenge is finding some way to configure what types of attachments get filtered out in the CF file... (I suppose a list of acceptable or excluded MIME types in a separate file might do it). Craig
2000-05-08-12:49:54 Bill Woodcock:
...as opposed to just by subject line?
I've come up with a solution I'm using. At the moment I've only got a procmail wrapper style filter, i.e. it's an LDA, so it only fixes local deliveries. I'm hoping to figure out a way to filter everything passing through, but at the moment I'm using Postfix, and it doesn't make that easy. I'm considering switching back to qmail in hopes that the exercise is less painful there. My filter pulls in the first up-to-1MB (configurable) of the message, and then hits the entire thing with each pattern specified in a file full of PCRE regexps, in case-insensitive multiline match mode. So the first of my two current patterns: ^Content-(?:Type|Disposition): (?:.|\n\s)*name=("?)[^"]+\.(?:vbs|wsf|vbe|wsh|hta)\1 ^begin \d+ \S+\.(?:vbs|wsf|vbe|wsh|hta)$ can catch the MIME attachments, even though the Content- and the filename extension vbs occur on different lines, and the whole thing is in the message body somewhere. Messages that are too long to scan this way, or that match any of the patterns, are set aside for a separate daemon to process. That daemon (written in perl) re-tries the patterns on paragraphs of the file. Confirmed matches get quoted with "> " to keep Outlook from biting, and copies are saved for later analysis; messages that don't match the second check are passed through unchanged. The concept here is to pass through the vast majority of traffic with minimal server performance hit, and only spend more effort on the nasty few. Seems to be working OK at the moment. I'll be happy to email my code to anyone who wants it. Once I can slow down and get back to routine stuff, I'll probably put it up on sourceforge. -Bennett
The closest thing that's been suggested so far is a procmail/perl/metamail package: http://www.wolfenet.com/~jhardin/procmail-security.html I haven't yet looked into how to run procmail on a sendmail hub, as opposed to as a local delivery agent... My assumption is that it will need to be run as a Remote Delivery Agent, a la uucp, rather than as an LDA, so it'll need to also take care of SMTP delivery out to the customer's mailserver, or it'll need to tag it to avoid recursion if it passes the piece of mail back through sendmail for remote delivery. -Bill
On 05/08/00, Bill Woodcock <woody@zocalo.net> wrote:
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Anybody else working on this already?
I've seen a fix for exim (check the exim-users archives), but haven't seen anyone try to adapt it to sendmail yet. I think maybe the new filter API might come in handy here. -- J.D. Falk "Laughter is the sound Product Manager that knowledge makes when it's born." Mail Abuse Prevention System LLC -- The Cluetrain Manifesto
The problem with the new filter API (thanks for leting me know about this guys) is that it requires a full-scale sendmail (to 8.10) upgrade for most of us. Check my headers, I'm at 8.9.3 and I don't see many others newer than that. These are production mail hubs and willy-nilly upgrades aren't allowed there (we just got to 8.9.3, last month), too many potential side-effects (not to mention the lack of full dox). So far, the procmail approach seems the most generic. However, we have to do it on a "per domain" basis, like JD.
J.D. Falk Sent: Monday, May 08, 2000 10:35 AM
On 05/08/00, Bill Woodcock <woody@zocalo.net> wrote:
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Anybody else working on this already?
I've seen a fix for exim (check the exim-users archives), but haven't seen anyone try to adapt it to sendmail yet. I think maybe the new filter API might come in handy here.
The problem with the new filter API (thanks for leting me know about this guys) is that it requires a full-scale sendmail (to 8.10) upgrade for most of us.
I realize that changing anything in many shops may require approval by a committee, but allow me to recommend this upgrade. We like 8.10 here. Compiles cleanly, and has substantially improved feature set. Even compiling the .mc to .cf is much easier now. -bryan postmaster
The problem with the new filter API (thanks for leting me know about this guys) is that it requires a full-scale sendmail (to 8.10) upgrade for most of us.
I realize that changing anything in many shops may require approval by a committee, but allow me to recommend this upgrade.
We like 8.10 here. Compiles cleanly, and has substantially improved feature set. Even compiling the .mc to .cf is much easier now.
i like 8.10 very also. the filter stuff is a little young though... you have to build sendmail (or rebuild, if you've already built it) with _FFR_MILTER defined, among other things...like the usual dearth of documentation for new features that aren't really "released". :) it also requires threads. not something i've got very much practical experience with... -- |-----< "CODE WARRIOR" >-----| codewarrior@daemon.org * "ah! i see you have the internet twofsonet@graffiti.com (Andrew Brown) that goes *ping*!" andrew@crossbar.com * "information is power -- share the wealth."
Previously Andrew Brown said:
The problem with the new filter API (thanks for leting me know about this guys) is that it requires a full-scale sendmail (to 8.10) upgrade for most of us.
I realize that changing anything in many shops may require approval by a committee, but allow me to recommend this upgrade.
We like 8.10 here. Compiles cleanly, and has substantially improved feature set. Even compiling the .mc to .cf is much easier now.
i like 8.10 very also. the filter stuff is a little young though... you have to build sendmail (or rebuild, if you've already built it) with _FFR_MILTER defined, among other things...like the usual dearth of documentation for new features that aren't really "released". :)
it also requires threads. not something i've got very much practical experience with...
I've gotten Sendmail 8.10.1 with libmilter running and seems to work rather well (with the exception of additional CPU usage). Al Smith posted vbfilter.c on comp.mail.sendmail on 5/5 to reject all .vbs attachments. It's definitly an excellent starting point. Moving to 8.10.1 in a simple setup (ie. store and forward) was very easy. Using libmilter is pretty undocumented and takes a bit to get going. In addition to the above you need to build libmilter and then have the proper flags in your .mc. Any code for filtering requires that it's thread-safe. Make sure you read libmilter/README. The one thing it leaves out is putting define(`_FFR_MILTER') in your .mc, which makes the cf build but not include the right external filtering definitions. -jkk -- James K. Klossner jkk@frontiernet.net Eagles may soar, but weasels don't get sucked into jet engines.
We put attachment filtering in place with Melissa. By midnight Thursday we had quarantined somewhere around 1000 love letters. I have to believe it was worth the (not my personal) effort. Treat your postmasters well. You'll live to be be glad you did. -ls-
How well does it work with HP OpenMail?
Bryan Bradsby Sent: Monday, May 08, 2000 2:17 PM
The problem with the new filter API (thanks for leting me know about this guys) is that it requires a full-scale sendmail (to 8.10) upgrade for most of us.
I realize that changing anything in many shops may require approval by a committee, but allow me to recommend this upgrade.
We like 8.10 here. Compiles cleanly, and has substantially improved feature set. Even compiling the .mc to .cf is much easier now.
On Mon, 08 May 2000 09:49:54 PDT, Bill Woodcock <woody@zocalo.net> said:
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Well, I'm not actually working on it at the moment, but Sendmail 8.10.1 ships with a not-very-documented filtering interface. If you have an 8.10.1 source tree handy, look in 'libmilter/README' for the gory details. -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Look at http://www.decros.cz/~reho/check_virus. This is patch, written by Petr Rehor, that allows to invoke a antivirus software from inside Sendmail . It is a great solution and I have been using it for several months with several of my customers. Suffice to say, those of my customers which run Sendmail with Petr's patch have experienced very little impact during the recent virus attack. The only thing that the patch doesn't do is to handle MIME attachements, and therefore I wrote a wrapper (ftp.coldstone.com), that is less than suboptimal (but works), to extract the attachement first then feed it to one or more antivirus software (e.g. McAfee, TrenMicro, etc.) -Alberto -- Alberto U. Begliomini Email: aub@coldstone.com Coldstone Consulting, LLC Phone: 650-400-3990 Security, Data Centers Design and Management Fax: 650-654-5938 Bill Woodcock wrote:
...as opposed to just by subject line? We're getting a lot of requests from customers that we MX for to just throw away either all attachments or any .vbs visual basic attachments. Obviously the Sendmail-Inc.-approved fix is subject-line based, which doesn't take care of that.
Anybody else working on this already?
-Bill
participants (12)
-
Alberto Begliomini -
Andrew Brown -
Bennett Todd -
Bill Woodcock -
Bryan Bradsby -
Craig Partridge -
Daniel Senie -
J.D. Falk -
James Klossner -
Larry Snyder -
Roeland Meyer (E-mail) -
Valdis.Kletnieks@vt.edu