Hi, I don't know all the options of the smtpd - there are different implementations with different capabilities... Most of them support logging, but maybe some of them support more request filtering options - at least it seems reasonable. My point was that instead of tracing outgoing mail from different applications it seems natural to direct all the traffic through the local mail agent where such tracing/filtering can be added (if not yet supported).
Thanks, Gregory. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of David Harel Sent: Thursday, June 10, 2004 11:30 AM To: Linux-IL mailing list Subject: Re: My initiative to detect worms that send spam Hi, Kovriga, Gregory wrote: >Hi, >couldn't you get the same logging capabilities by closing outgoing SMTP >connections (using iptables) for users other than "smtp" and relaying >all applications through the local smtp daemon ? > > Thank you very much for your comment. I don't understand your suggestion though. My solution is a little more than logging operation. Its intention is to give the user enough information - live so the user can find a worm process when it is in action and thereafter try to get rid of it. As I see it, the user must be involved in the process. I don't understand then how would the centralized local smtp daemon figure out if the smtp operation is legitimate, due to the users request, or illegal, due to a worm activity. >Thanks, >Gregory. > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] On Behalf Of Tzahi Fadida >Sent: Thursday, June 10, 2004 3:18 AM >To: 'David Harel'; 'Linux-IL mailing list' >Subject: RE: My initiative to detect worms that send spam > >I think it's a nice idea. >Might I suggest a similar solution that seems to me more airtight. >If you already have access to the smtp machine you might consider >filtering all newly arriving mails to a temorary folder and your warning >email that you send to the client will include a confirmation hypertext >link >were the user needs to click on it to confirm to the smtp machine >that a human is behind this mail. > >Regards, > tzahi. > > > >>-----Original Message----- >>From: [EMAIL PROTECTED] >>[mailto:[EMAIL PROTECTED] On Behalf Of David Harel >>Sent: Wednesday, June 09, 2004 11:55 PM >>To: Linux-IL mailing list >>Subject: My initiative to detect worms that send spam >> >> >>Hi, >> >>Some time ago I asked this group about an idea of mine to track smtp >>activity. >>The reason I want to do so is that a while ago I was suspected of >>sending spam messages. Knowing that I would never do such a thing I >>assumed I got infected with some kind of a worm. (I understand that >>there are some worms that work on Linux). >>While thinking it over, I remembered a friend of mine who works in >>Cyprus. He told me about a service the credit card companies >>have. When >>your credit is charged you get an SMS on your cell phone. So >>now I send >>a message to the user every time an outgoing smtp connection is made. >>The user should know if the warning he got is due to his >>initiation of >>sending an e-mail or else... >> >>So finally I implemented it calling it warnsmtpd. That is it' >>runs as a >>daemon. It is now running on my machine - basically a RH 9 >>machine. It >>is using information from /proc directory. More specifically, >>I detect >>smtp communication from /proc/net/tcp (should I look into UDP >>also?) on >>remote_port 0019 (25) and correlate the inum to the fd link file in >>/proc/XXXX/fd/...(one of them is a symlink to "socket:[INUM]"). With >>that I write warning print like: >> >>The program /usr/local/mozilla/mozilla-bin pid 15914 >> sends SMTP message using tcp Protocol to >> Remote_Address 212.117.129.230 >> >> >> >>The program detects if you got X11 running (again looking for >>processes >>in /proc but this time looking for the file cmdline) . In >>that case it >>will use xmessage to send you the warning. otherwise it sends the >>message to /dev/console. >> >>If this solution is worthwhile, I want your help to make it a >>GPL package. Even though I call this program version 0.1.0' I >>consider it as merely >>the first draft. >>I want to get your comments about everything including necessity, >>style, portability. >> >>You can get this program from: >>ftp://[EMAIL PROTECTED]/WarnSMTP-0.1.0.tar.gz >>Unfortunately, you will need a password: warnsmtp >> >>The file you need to compile is in /usr/src/WarnSMTP-0.1.0. I did not >>put in a Makefile in because simple compilation is all it currently >>need. (no ./configure , no portability )After compilation, put >>warnsmtpd in /usr/local/bin if you like. I also added the >>startup script >>in /etc/init.d and a launching script in /usr/local/bin which assume >>warnsmtpd is in /usr/local/bin >> >> >>-- >>Thanks. >> >>David Harel, >> >>================================== >> >>Home office +972 4 6921986 >>Fax: +972 4 6921986 >>Cellular: +972 54 4534502 >>Snail Mail: Amuka >> D.N Merom Hagalil >> 13802 >> Israel >>Email: [EMAIL PROTECTED] >> >> >> >>================================================================= >>To unsubscribe, send mail to [EMAIL PROTECTED] >>with the word "unsubscribe" in the message body, e.g., run >>the command echo unsubscribe | mail [EMAIL PROTECTED] >> >> >> >> >> > > > >====================== >To unsubscribe, send mail to [EMAIL PROTECTED] with >the word "unsubscribe" in the message body, e.g., run the command >echo unsubscribe | mail [EMAIL PROTECTED] > > > >=============================================================== >To unsubscribe, send mail to [EMAIL PROTECTED] with >the word "unsubscribe" in the message body, e.g., run the command >echo unsubscribe | mail [EMAIL PROTECTED] > > > > -- Thanks. David Harel, ================================== Home office +972 4 6921986 Fax: +972 4 6921986 Cellular: +972 54 4534502 Snail Mail: Amuka D.N Merom Hagalil 13802 Israel Email: [EMAIL PROTECTED] ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED] ================================================================To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
