>> On Tue, 13 Jul 1999 13:41:19 -0400,
>> "Adam D . McKenna" <[EMAIL PROTECTED]> said:
A> I think the best solution here is to scan for viruses *after* the mail
A> has been delivered. (Or possibly in a way that is transparent to the
A> MTA, which scans the file before it is written to disk). This takes the
A> responsibility away from the MTA. McAfee can already look inside Zip
A> files for viruses, adding the code to look in UUEncoded emails shouldn't
A> be much harder. This would be especially good for qmail because the
A> Maildir delivery format because each message would be a different file
A> and would be able to be scanned separately by the scanner.
I'm trying some experiments along this line with a heavily-modified
smap/smapd (from the TIS firewall toolkit) plus either qmail or
sendmail. Here's a Cliff-notes version of the setup:
1. "smap" listens on port 25 for incoming mail, and stores each message
in a given spool directory based on time. This directory changes
every 30 seconds. The delivery log looks like this:
1999-07-13 18:40:30.157247 sd=(/smap0/a)
1999-07-13 18:41:00.174410 sd=(/smap1/a)
1999-07-13 18:41:30.189001 sd=(/smap0/b)
1999-07-13 18:42:00.205318 sd=(/smap1/b)
1999-07-13 18:42:30.230449 sd=(/smap0/c)
1999-07-13 18:43:00.283121 sd=(/smap1/c)
1999-07-13 18:43:30.358441 sd=(/smap0/d)
1999-07-13 18:44:00.364667 sd=(/smap1/d)
The spool directories are /var/spool/smap0/[abcde...] and
/var/spool/smap1/[abcde...].
2. "smapd" follows 30 seconds behind "smap"; while "smap" is storing
new messages in (say) /var/spool/smap0/b, "smapd" is scanning and
handling final delivery of messages in /var/spool/smap1/a. This
way, I could have smap0 and smap1 on separate devices. I use a
number of queues just in case I want to stop the scanning process
for some reason; this way, no one directory gets too full, and I can
process an older directory knowing that nothing is writing to it at
the time.
3. The scanning part is just a script run from smapd; we do all the
virus checking on an NT box, but I wanted to see if I could catch
viruses by breaking up MIME messages, running "strings" on
binary-type attachments and looking for things like "HKEY" plus an
indication that Visual Basic was being used. Most email viruses
we've run into seem to rely on VB macros which mess around with the
registry.
--
Karl Vogel
ASC/YCOA, Wright-Patterson AFB, OH 45433, USA
[EMAIL PROTECTED] or [EMAIL PROTECTED]
