I think it's a nice idea.
Might I suggest a similar solution that seems to me more airtight.
If you already have access to the smtp machine you might consider
filtering all newly arriving mails to a temorary folder and your warning
email that you send to the client will include a confirmation hypertext link
were the user needs to click on it to confirm to the smtp machine
that a human is behind this mail.
Regards,
tzahi.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Harel
> Sent: Wednesday, June 09, 2004 11:55 PM
> To: Linux-IL mailing list
> Subject: My initiative to detect worms that send spam
>
>
> Hi,
>
> Some time ago I asked this group about an idea of mine to track smtp
> activity.
> The reason I want to do so is that a while ago I was suspected of
> sending spam messages. Knowing that I would never do such a thing I
> assumed I got infected with some kind of a worm. (I understand that
> there are some worms that work on Linux).
> While thinking it over, I remembered a friend of mine who works in
> Cyprus. He told me about a service the credit card companies
> have. When
> your credit is charged you get an SMS on your cell phone. So
> now I send
> a message to the user every time an outgoing smtp connection is made.
> The user should know if the warning he got is due to his
> initiation of
> sending an e-mail or else...
>
> So finally I implemented it calling it warnsmtpd. That is it'
> runs as a
> daemon. It is now running on my machine - basically a RH 9
> machine. It
> is using information from /proc directory. More specifically,
> I detect
> smtp communication from /proc/net/tcp (should I look into UDP
> also?) on
> remote_port 0019 (25) and correlate the inum to the fd link file in
> /proc/XXXX/fd/...(one of them is a symlink to "socket:[INUM]"). With
> that I write warning print like:
>
> The program /usr/local/mozilla/mozilla-bin pid 15914
> sends SMTP message using tcp Protocol to
> Remote_Address 212.117.129.230
>
>
>
> The program detects if you got X11 running (again looking for
> processes
> in /proc but this time looking for the file cmdline) . In
> that case it
> will use xmessage to send you the warning. otherwise it sends the
> message to /dev/console.
>
> If this solution is worthwhile, I want your help to make it a
> GPL package. Even though I call this program version 0.1.0' I
> consider it as merely
> the first draft.
> I want to get your comments about everything including necessity,
> style, portability.
>
> You can get this program from:
> ftp://[EMAIL PROTECTED]/WarnSMTP-0.1.0.tar.gz
> Unfortunately, you will need a password: warnsmtp
>
> The file you need to compile is in /usr/src/WarnSMTP-0.1.0. I did not
> put in a Makefile in because simple compilation is all it currently
> need. (no ./configure , no portability )After compilation, put
> warnsmtpd in /usr/local/bin if you like. I also added the
> startup script
> in /etc/init.d and a launching script in /usr/local/bin which assume
> warnsmtpd is in /usr/local/bin
>
>
> --
> Thanks.
>
> David Harel,
>
> ==================================
>
> Home office +972 4 6921986
> Fax: +972 4 6921986
> Cellular: +972 54 4534502
> Snail Mail: Amuka
> D.N Merom Hagalil
> 13802
> Israel
> Email: [EMAIL PROTECTED]
>
>
>
> =================================================================
> To unsubscribe, send mail to [EMAIL PROTECTED]
> with the word "unsubscribe" in the message body, e.g., run
> the command echo unsubscribe | mail [EMAIL PROTECTED]
>
>
>
================================================================To unsubscribe, send
mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
