Pmf
From M1Research
pmf - Procmail's MIME filter
Contents |
Description
pmf is a Perl program for filtering e-mail. Program decompose e-mail into parts check each part using preinstalled filters to determine if e-mail contains forbiden attachments (like win32 executabled and script files). It use 'score' method to determine dengerous level of e-mail.
Features
- Open Source
- Easyest way for intergration into mail system bases on procmail localmailer
- Available filters:
DangerosHTMLtags- Detects attached htmls files with potencial possibilies to execute some code by IE;ForbiddenExtensions- Check for forbided extension;Win32Executable- Check if file is win32 executable;ZIPList- Check file list of attached ZIP-archive;WhiteListFrom- exception for 'trusted' senders;WhiteListTo- exception for 'smart' recipient;
Downloads
Version 0.93 (2004-12-18 16:00)
- Download:
pmf-0.93.tar.bz2 - Changelog:
- 1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols
- 2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization)
Version 0.92 (2004-12-18 01:20)
- Download:
pmf-0.92.tar.bz2 - Changelog:
- 1. Added
filters/KAV.pm- Kaspersky's Antivirus Connectivity - 2. Added appropriate configuration section
- 1. Added
Version 0.91 (2004-12-17)
- Download:
pmf-0.91.tar.bz2 - Changelog:
- 1. Added syslog facility
- 2. Added appropriate configuration section
Version 0.90 (2004-12-11)
- Download:
pmf-0.90.tar.bz2 - Changelog:
- 1. Code reengeniering of procmail-mimefilter.pl
- 2. Flexible reconfigration throw the pmf.conf
Installation
- 1. Download source tarball
- 2. Check if next modules installed:
Data::Dump Mail::MboxParser Digest::MD5 HTML::Parser Archive::Zipif this modules not installed, please visit CPAN for download required modules
- 3. Unpack archive into
/usr/local/pmf/
Configuration
- 1. check pmf config file (modify config file for your system, modify white lists or disable some filters):
/usr/local/pmf/pmf.conf:
# Renice priority to lower (keep system more stable)
# this prevent system to load up to 110% :-)) of users processes
RENICE => -9,
# path where plugins installed
FILTERS_PATH => '/usr/local/pmf/filters/',
# save blocked users emails to path
SAVE_PATH => '/tmp/users/',
# temporarity directory for storing body and attachemt
TEMP_PATH => '/tmp/pmf/',
# filters parameters
FILTERS =>
{
'WhiteListTo' =>
{
LIST => ['verem','root'],
SCORE => -100.0,
},
'WhiteListFrom' =>
{
LIST => ['bk.ru','gfk-usm.com.ua','gfk.com.ua'],
SCORE => -100.0,
},
'ForbiddenExtensions' =>
{
LIST => ['exe','com','pif','scr','bat','reg','ocx','dll','cmd','vbs','vb','cab','inf'],
SCORE => 1.0,
},
'Win32Executable' =>
{
LIST => ['MZ','ELF'],
MAX => 3,
SCORE => 1.0,
},
'ZIPList' =>
{
SCORE => 1.0,
},
# 'KAVtest' =>
# {
# },
'DangerosHTMLtags' =>
{
SCORE => 1.0,
},
},
# rewrite letter
# text of header of rewrited letter
REWRITE =>
{
HEADER => <<EOH
To: %s
From: <postmaster\@m1stereo.tv>
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 8bit
Subject: [CONTENT BLOCKED]
EOH
,
# body text of rewrited letter
BODY => <<EOH
Dear %s!
Your e-mail is blocked due to security policy of our company. If
you think that blocked e-mail is important, please ask system
administrators for unlocking e-mail with next reference number:
%s
----------------------------------------------------------------
CHECK LOG:
%s
----------------------------------------------------------------
HEADERS:
%s
----------------------------------------------------------------
With best regards e-mail support teams,
EOH
,
},
#---------------------------------------------------------------
- 2. Modify procmail's config:
/etc/procmailrc::
....... # pmf filter :0fw | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf $LOGNAME ......
program pmf configured as filter, for :0fw see procmail's manual.
Syslogging
It's able to log event to syslog. To enable this feature add to config:
# syslog!
SYSLOG =>
{
ident => 'pmf',
logopt => 'cons,pid',
facility => 'mail',
priority => 'mail|warning',
},
That's will make syslog entries about found messages with score more then zero:
Dec 17 20:02:03 kazbek pmf[12656]: Recipient: pupkin, Score: 2.000000, Filters: 2.0 pmf::DangerosHTMLtags [<IFRAME src=XXX>:BODY], Dec 17 20:02:03 kazbek pmf[12656]: Trace: from localhost.localdomain (localhost [127.0.0.1]) by uaportal.com (8.12.6p2/8.12.3) with ESMTP id iBFMCqj4085091 for <budnik@m1stereo.tv>; Thu, 16 Dec 2004 00:12:57 +0200 (EET) (envelope-from mailnews@uaportal.com)
KAV daemon connectivity
Kasspersky's antivirus provided throw this module. KAV.pm uses socket to connect to kavdaemon. Make sure that kavdaemon started. To enable this feature:
- 1. add to
FILTERSsection ofpmf.conf:
'KAV' =>
{
SCORE => 100.0,
RESULT_BUFSIZE => 1024,
SOCKET => '/var/run/AvpCtl',
},
- 2. modify
defUnix.prfin antivirus installation dir:
# same section with parameters for objects [Object] Names=*/var/spool/pmf;*/tmp --skipped--
This is done to aviod messages like :Directory XXXX wasn't included in enabled paths. in log file: /root/kavscan.rpt
Troubleshooting
Q. Nohing works, whats going on? A.Step by step diag procedure:
- 1. Check if filter could be started:
/usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname
If filter starts and waits for input - that's OK, If you got warn messages, inspect messages, that could be messages about required Perl's modules for plugin startup or config file warning (config file has Perl syntax and pmf use eval function for loading config).
- 2. Check filter running. If you have mail file (standart unix mbox) at some location - try to run filter manualy:
cat /tmp/test-e-mail-1 | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname > /tmp/test-e-mail-1.filtered
If you got warn messages during processing see previous step. In no messages given to stderr look into the /tmp/test-e-mail-1.filtered. Filter appends to header block own headers:
.......... Subject: TEST2 X-pmf-About: pmf-0.9, see http://research.m1stereo.tv/verem/pmf X-pmf-Score: -100 X-pmf-Status: No X-pmf-Log: *-100.0 pmf::WhiteListTo [fooname] ..........
or
..........
Subject: No subject
X-source-ip: 141.84.69.19
Content-Type: Multipart/Mixed;
boundary="------------Boundary-00=_QETB1FCXFQQMYJ0CCJD0"
X-pmf-About: pmf-0.9, see http://research.m1stereo.tv/verem/pmf
X-pmf-Score: -99
X-pmf-Status: No
X-pmf-Log:
*-100.0 pmf::WhiteListTo [fooname]
* 1.0 pmf::ForbiddenExtensions [ziparchive|elka.zip/elka.exe]
* 1.0 pmf::ZIPList [elka.zip]
..........
- 3. Headers
X-pmf-*could be usefull to detect what filter found. In examples above it's could be seen that that first message is 'clear' and next message is forced to be clear using white list filter.
Licence
Procmail's MIME Filter
filter to detect unnessaries or dangerous attachments
Copyright (C) 2004 Maksym Veremeyenko.
Contributed by Maksym Veremeyenko, verem@m1stereo.tv, 2004.
Procmail's MIME Filter is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
Procmail's MIME Filter is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with Procmail's MIME Filter; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
