[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Fw: VIRUS IN YOUR MAIL (W32/BugBear.A (Clam))


On Thu, Oct 17, 2002 at 10:44:06AM +0200, Russell Coker wrote:

> On Thu, 17 Oct 2002 10:32, Brian May wrote:
> > On Thu, Oct 17, 2002 at 10:25:52AM +0200, Russell Coker wrote:
> > > Ideally we would be able to detect the virus as it comes in and give a
> > > 5xx SMTP code.
> >
> > Yes, that would be the best solution.
> >
> > exim is the only MTA I know of where I have heard this is possible
> > though.
> The best solution would be to have a transperant proxy in front of the mail 
> server that does this.
> The proxy could pass the data through until a SMTP "DATA" command is sent (so 
> if the envelope sender or recipient addresses or of the sending host name or 
> RBL isn't right then the mail server can drop it).  Then it would pause the 
> data stream until it had received it all and scanned it (sending code 5xx for 
> a virus and passing it on otherwise).
> Is Linux transperant proxying up to this?  Can you intercept a data stream 
> while preserving both the source and destination addresses?

Well, once you separate the TCP listener from the actual SMTP server,
as done for servers run from (ucspi-tcp's) tcpserver[1] or inetd, then you
can insert arbitrary programs into the pipe, without having to dig at
the networking layers.

Qmail has such a smtp filter (rblsmtpd[2]) that checks MAIL FROM:
domains against RBLs; it only runs the real server (qmail-smtpd[3]) if
the domain is not listed.

Of course, other policies could be implemented this way as well.
Have a look at 



[1] http://cr.yp.to/ucspi-tcp/tcpserver.html
[2] http://cr.yp.to/ucspi-tcp/rblsmtpd.html
[3] http://www.qmail.org/qmail-manual-html/man8/qmail-smtpd.html

E-Advies / Emile van Bergen   |   emile@e-advies.info
tel. +31 (0)70 3906153        |   http://www.e-advies.info

Attachment: pgpHngFc5wxxr.pgp
Description: PGP signature

Reply to: