Hi,
Kovriga, Gregory wrote:
Hi,Thank you very much for your comment.
couldn't you get the same logging capabilities by closing outgoing SMTP
connections (using iptables) for users other than "smtp" and relaying
all applications through the local smtp daemon ?
I don't understand your suggestion though.
My solution is a little more than logging operation. Its intention is to give the user enough information - live so the user can find a worm process when it is in action and thereafter try to get rid of it. As I see it, the user must be involved in the process. I don't understand then how would the centralized local smtp daemon figure out if the smtp operation is legitimate, due to the users request, or illegal, due to a worm activity.
Thanks,
Gregory.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tzahi Fadida Sent: Thursday, June 10, 2004 3:18 AM To: 'David Harel'; 'Linux-IL mailing list' Subject: RE: My initiative to detect worms that send spam
I think it's a nice idea. Might I suggest a similar solution that seems to me more airtight. If you already have access to the smtp machine you might consider filtering all newly arriving mails to a temorary folder and your warning email that you send to the client will include a confirmation hypertext link were the user needs to click on it to confirm to the smtp machine that a human is behind this mail.
Regards, tzahi.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Harel
Sent: Wednesday, June 09, 2004 11:55 PM
To: Linux-IL mailing list
Subject: My initiative to detect worms that send spam
Hi,
Some time ago I asked this group about an idea of mine to track smtp activity.
The reason I want to do so is that a while ago I was suspected of sending spam messages. Knowing that I would never do such a thing I assumed I got infected with some kind of a worm. (I understand that there are some worms that work on Linux).
While thinking it over, I remembered a friend of mine who works in Cyprus. He told me about a service the credit card companies have. When your credit is charged you get an SMS on your cell phone. So now I send a message to the user every time an outgoing smtp connection is made. The user should know if the warning he got is due to his initiation of sending an e-mail or else...
So finally I implemented it calling it warnsmtpd. That is it' runs as a daemon. It is now running on my machine - basically a RH 9 machine. It is using information from /proc directory. More specifically, I detect smtp communication from /proc/net/tcp (should I look into UDP also?) on remote_port 0019 (25) and correlate the inum to the fd link file in /proc/XXXX/fd/...(one of them is a symlink to "socket:[INUM]"). With that I write warning print like:
The program /usr/local/mozilla/mozilla-bin pid 15914 sends SMTP message using tcp Protocol to Remote_Address 212.117.129.230
The program detects if you got X11 running (again looking for processes in /proc but this time looking for the file cmdline) . In that case it will use xmessage to send you the warning. otherwise it sends the message to /dev/console.
If this solution is worthwhile, I want your help to make it a GPL package. Even though I call this program version 0.1.0' I consider it as merely the first draft.
I want to get your comments about everything including necessity, style, portability.
You can get this program from: ftp://[EMAIL PROTECTED]/WarnSMTP-0.1.0.tar.gz
Unfortunately, you will need a password: warnsmtp
The file you need to compile is in /usr/src/WarnSMTP-0.1.0. I did not put in a Makefile in because simple compilation is all it currently need. (no ./configure , no portability )After compilation, put warnsmtpd in /usr/local/bin if you like. I also added the startup script in /etc/init.d and a launching script in /usr/local/bin which assume warnsmtpd is in /usr/local/bin
-- Thanks.
David Harel,
==================================
Home office +972 4 6921986 Fax: +972 4 6921986 Cellular: +972 54 4534502 Snail Mail: Amuka D.N Merom Hagalil 13802 Israel Email: [EMAIL PROTECTED]
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
====================== To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
=============================================================== To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
-- Thanks.
David Harel,
==================================
Home office +972 4 6921986
Fax: +972 4 6921986
Cellular: +972 54 4534502
Snail Mail: Amuka
D.N Merom Hagalil
13802
Israel
Email: [EMAIL PROTECTED]================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
