Hi, couldn't you get the same logging capabilities by closing outgoing SMTP connections (using iptables) for users other than "smtp" and relaying all applications through the local smtp daemon ?
Thanks, Gregory. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tzahi Fadida Sent: Thursday, June 10, 2004 3:18 AM To: 'David Harel'; 'Linux-IL mailing list' Subject: RE: My initiative to detect worms that send spam I think it's a nice idea. Might I suggest a similar solution that seems to me more airtight. If you already have access to the smtp machine you might consider filtering all newly arriving mails to a temorary folder and your warning email that you send to the client will include a confirmation hypertext link were the user needs to click on it to confirm to the smtp machine that a human is behind this mail. Regards, tzahi. > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of David Harel > Sent: Wednesday, June 09, 2004 11:55 PM > To: Linux-IL mailing list > Subject: My initiative to detect worms that send spam > > > Hi, > > Some time ago I asked this group about an idea of mine to track smtp > activity. > The reason I want to do so is that a while ago I was suspected of > sending spam messages. Knowing that I would never do such a thing I > assumed I got infected with some kind of a worm. (I understand that > there are some worms that work on Linux). > While thinking it over, I remembered a friend of mine who works in > Cyprus. He told me about a service the credit card companies > have. When > your credit is charged you get an SMS on your cell phone. So > now I send > a message to the user every time an outgoing smtp connection is made. > The user should know if the warning he got is due to his > initiation of > sending an e-mail or else... > > So finally I implemented it calling it warnsmtpd. That is it' > runs as a > daemon. It is now running on my machine - basically a RH 9 > machine. It > is using information from /proc directory. More specifically, > I detect > smtp communication from /proc/net/tcp (should I look into UDP > also?) on > remote_port 0019 (25) and correlate the inum to the fd link file in > /proc/XXXX/fd/...(one of them is a symlink to "socket:[INUM]"). With > that I write warning print like: > > The program /usr/local/mozilla/mozilla-bin pid 15914 > sends SMTP message using tcp Protocol to > Remote_Address 212.117.129.230 > > > > The program detects if you got X11 running (again looking for > processes > in /proc but this time looking for the file cmdline) . In > that case it > will use xmessage to send you the warning. otherwise it sends the > message to /dev/console. > > If this solution is worthwhile, I want your help to make it a > GPL package. Even though I call this program version 0.1.0' I > consider it as merely > the first draft. > I want to get your comments about everything including necessity, > style, portability. > > You can get this program from: > ftp://[EMAIL PROTECTED]/WarnSMTP-0.1.0.tar.gz > Unfortunately, you will need a password: warnsmtp > > The file you need to compile is in /usr/src/WarnSMTP-0.1.0. I did not > put in a Makefile in because simple compilation is all it currently > need. (no ./configure , no portability )After compilation, put > warnsmtpd in /usr/local/bin if you like. I also added the > startup script > in /etc/init.d and a launching script in /usr/local/bin which assume > warnsmtpd is in /usr/local/bin > > > -- > Thanks. > > David Harel, > > ================================== > > Home office +972 4 6921986 > Fax: +972 4 6921986 > Cellular: +972 54 4534502 > Snail Mail: Amuka > D.N Merom Hagalil > 13802 > Israel > Email: [EMAIL PROTECTED] > > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] > with the word "unsubscribe" in the message body, e.g., run > the command echo unsubscribe | mail [EMAIL PROTECTED] > > > ====================== To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
