Ray's Mail FilterVersion 1.04/1.14 |
|||
On this page:- Description Platform Copyright and Licence Requirements Rationale Theory Method Rejected Message Files SMTP reply Log files Known Bugs Interaction with Other Software Release Notes |
Other pages:- Installation Configuration Operation Utilities |
The filter examines messages being processed by Sendmail, and accepts or rejects them on the basis of their header contents. In addition to the main message headers, the filter examines the MIME part headers within a multipart message. It can therefore be used to reject messages containing attachments with particular filenames or filename extensions.
Rejection criteria are controlled by configuration files, and can be changed without having to re-start the filter. Using the configuration files as supplied, the filter will reject any message that has an attachment of a type that is listed as "unsafe" in the Microsoft Outlook E-mail Security Update (Article ID: Q262617).
As a partial defence against malicious exploitation of the buffer overrun problem in certain versions of Microsoft Outlook, the filter will also reject messages whose Date header is more than 60 characters in length.
Rejected messages are saved in message files, annotated to show the reason for rejection. A log is kept of all messages processed by the filter.
H/W | O/S | Sendmail version | Remarks |
Dec Alpha | Digital Unix V4.0F | 8.10.1 8.11.0.Beta1 8.11.0 |
Development machine. |
i686 | Linux (Red Hat 6.1) | 8.10.1 | |
i686 | Linux (Red Hat 6.2) | 8.11.0 |
The software is distributed under the terms of the GNU General Public Licence.
Within the body of the message, each occurrence of the boundary is followed by a number of headers relating specifically to that part. An "attachment" part containing a Visual Basic script, for example, can be identified by the presence of a file name with an extension such as ".vbs" in its Content-Type and Content-Disposition headers. For instance, the "ILOVEYOU" virus was contained in an attachment which began with the following boundary and headers:Content-Type: multipart/mixed; boundary="----_=_NextPart_000_01BFB5AF.795C3FBA"
The Sendmail Mail Filter API allows third-party programs access to mail messages as they are being processed, in order to filter meta-information and content. This allowed a filter to be developed which can scan a message for the presence of characteristic text strings (e.g. 'name="xxxxx.vbs"') in certain specified headers (e.g. "Content-Type"), and reject the message if such a string is found.------_=_NextPart_000_01BFB5AF.795C3FBA Content-Type: application/octet-stream; name="LOVE-LETTER-FOR-YOU.TXT.vbs" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="LOVE-LETTER-FOR-YOU.TXT.vbs"
As the filter can scan all the message headers, it can also be configured to reject messages where, for example, the Subject header of the main message contains text which suggests the possible presence of a virus.
Then, for each message received by Sendmail, the filter performs the following tasks:
(If the body of the message is longer than 65,535 characters, Sendmail passes it to the filter in "chunks" of no more than that size. When scanning the message body, the filter "overlaps" adjacent chunks in order to detect boundaries and suspect text strings which would otherwise be split between chunks.)
The name of the file will consist of the "username" part of the sender's e-mail address and a "random" string of characters. For example, a rejected message from A.N.Other@some.co.uk may be saved as "A.N.Other.aawfiA".
The file contains the text of the message, annotated as follows:-
===================================================== Note inserted by Ray's Mail Filter ----------------------------------------------------- This chunk (bodylen): 65535 Overlap from previous: 0 Buffer contains: 65535 Overlap to next chunk: 1024 =====================================================
Message-ID: <20000626101717.2799.qmail@ab.cdefg.com> From: lists@wxyz.com To: A.Student@sbu.ac.uk Subject: Mail from Jokes Online ----------------------------------------------------- Ray's Mail Filter found the following pattern: :_ Jokes in this header: Subject: Mail from Jokes Online ----------------------------------------------------- Reply-to: lists@wxyz.com X-Mailer: WXYZ-Mailing List Service
===================================================== Note inserted by Ray's Mail Filter ----------------------------------------------------- This chunk (bodylen): 65535 Overlap from previous: 0 Buffer contains: 65535 ----------------------------------------------------- Ray's Mail Filter found the following pattern: :_ name=\".*\.exe\" in this header: Content-Type: application/octet-stream; name="Beckham.exe" ----------------------------------------------------- Overlap to next chunk: 1024 =====================================================
554 5.7.1 Message was rejected because it contains signs of a possible virus (name=\".*\.vbs\")
This consists of the following components:-
mail-filter.log records when the filter is started, stopped or signalled to re-read its configuration files, e.g.
21-Jun-2000 11:19:46 : Starting rays-filter; FAIL_COUNT = 0 28-Jun-2000 14:35:17 : Signalling rays-filter to read configuration files 04-Jul-2000 16:31:49 : Stopping rays-filter; WAIT = 6
The filter makes entries in the system log file using the following function calls:
The following are typical examples of system log entries:-openlog("rays-filter", LOG_PID, LOG_USER); syslog(LOG_INFO, "text");
Program startingRead 3 header names from /usr/local/src/mail-filters/header_list.conf
Read 48 strings from /usr/local/src/mail-filters/string_list.conf
Accepted message: From: <a.n.other@sbu.ac.uk> To: <some.body@talk21.com> Subject: medical stories
*Rejected message: From: <some.one@somewhere.ac.uk> To: <butlerra@sbu.ac.uk> Subject: Test
H/W | O/S | Sendmail version |
Observations |
Dec Alpha | Digital Unix V4.0F | * | The program will save up to 32 rejected messages from any one user. After this, messages from that user which meet the rejection criteria will continue to be rejected, but will not be saved. Rejected messages from other users will continue to be saved. |
Dec Alpha | Digital Unix V4.0F | 8.11.0.Beta1 | If an "internet" type socket is used, the filter will accept a telnet connection on the specified port from a user on the same host. |
i686 | Linux (Red Hat 6.1) | 8.10.1 | If an "file" type socket is used, the filter must be run by root. A non-root user may run the filter if an "internet" type socket is used. |
S/W | Version | Observations |
Netscape | 4.61 (Linux) 4.73 (Win32) |
Displays the RFC 1893/2034 reply code and text part of the SMTP reply returned by the filter. |
Pegasus Mail | 2.55 (Win32) | Displays the whole of the SMTP reply returned by the filter. |
Eudora | Displays the text part of the SMTP reply returned by the filter. | |
Outlook 97 | Displays: "Mail could not be delivered to the Mail Server. Be sure you entered the correct server name, or specify a new server." | |
Outlook 97 | 8.04.5619 | Returns a message with the subject "Undeliverable: subject",
with contents as follows:
The following recipients could not be reached: |
Internet Mail Service (Microsoft Exchange) | 5.5.2650.21 | Does not respond as anticipated to the SMTP reply returned by the filter. Continues to re-send the rejected message at 20-minute intervals until it times out (several days later). |
Version | Date | Notes |
1.04/1.14 | 08-Mar-2001 | Fixed a bug which would have prevented disk write failures from being recorded by syslog. (Thanks to Rich Jones, University of Western Ontario, for reporting this). |
1.12 | 25-Sep-2000 | Conditional compilation of 'bool' type definition and TRUE/FALSE values in rays-filter.c. Fixes a problem encountered when compiling with gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release) |
1.01/1.11 | 08-Aug-2000 | Improved scripts for more reliable recovery after crash or re-boot. Any socket file left behind by a previous run, which would prevent the binary from running, will be removed automatically. |
1.1 | 04-Aug-2000 | Version for Sendmail version 8.11.0 |
1.0 | 02-Aug-2000 | Version for Sendmail versions 8.10.* to 8.11.0.Beta* |
Installing the Filter
Filter Configuration
Running the Filter
Utilities