Pmf

From M1Research

(Difference between revisions)
Jump to: navigation, search
Line 40: Line 40:
**1. Code reengeniering of procmail-mimefilter.pl
**1. Code reengeniering of procmail-mimefilter.pl
**2. Flexible reconfigration throw the pmf.conf
**2. Flexible reconfigration throw the pmf.conf
 +
 +
===Installation===
 +
*1. Download source tarball
 +
*2. Check if next modules installed:
 +
<pre>
 +
Data::Dump
 +
Mail::MboxParser
 +
Digest::MD5
 +
HTML::Parser
 +
Archive::Zip
 +
</pre> if this modules not installed, please visit CPAN for download required modules
 +
*3. Unpack archive into <code>/usr/local/pmf/</code>
 +
 +
===Configuration===
 +
 +
*1. check <b>pmf</b> config file (modify config file for your system, modify white lists or disable some filters): <code>/usr/local/pmf/pmf.conf</code>:
 +
<pre>
 +
# Renice priority to lower (keep system more stable)
 +
# this prevent system to load up to 110% :-)) of users processes
 +
RENICE          =>      -9,
 +
# path where plugins installed
 +
FILTERS_PATH    =>      '/usr/local/pmf/filters/',
 +
# save blocked users emails to path
 +
SAVE_PATH      =>      '/tmp/users/',
 +
# temporarity directory for storing body and attachemt
 +
TEMP_PATH      =>      '/tmp/pmf/',
 +
# filters parameters
 +
FILTERS =>
 +
{
 +
        'WhiteListTo'          =>
 +
        {
 +
                LIST    =>      ['verem','root'],
 +
                SCORE  =>      -100.0,
 +
        },
 +
        'WhiteListFrom'        =>
 +
        {
 +
                LIST    =>      ['bk.ru','gfk-usm.com.ua','gfk.com.ua'],
 +
                SCORE  =>      -100.0,
 +
        },
 +
        'ForbiddenExtensions'  =>
 +
        {
 +
                LIST    =>      ['exe','com','pif','scr','bat','reg','ocx','dll','cmd','vbs','vb','cab','inf'],
 +
                SCORE  =>      1.0,
 +
        },
 +
        'Win32Executable'      =>
 +
        {
 +
                LIST    =>      ['MZ','ELF'],
 +
                MAX    =>      3,
 +
                SCORE  =>      1.0,
 +
        },
 +
        'ZIPList'              =>
 +
        {
 +
                SCORE  =>      1.0,
 +
        },
 +
#      'KAVtest'      =>
 +
#      {
 +
#      },
 +
        'DangerosHTMLtags'              =>
 +
        {
 +
                SCORE  =>      1.0,
 +
        },
 +
},
 +
# rewrite letter
 +
# text of header of rewrited letter
 +
REWRITE =>
 +
{
 +
    HEADER      =>      <<EOH
 +
To: %s
 +
From: <postmaster\@m1stereo.tv>
 +
Content-Type: text/plain; charset="koi8-r"
 +
Content-Transfer-Encoding: 8bit
 +
Subject: [CONTENT BLOCKED]
 +
 +
EOH
 +
,
 +
# body text of rewrited letter
 +
    BODY        =>      <<EOH
 +
Dear %s!
 +
 +
Your e-mail is blocked due to security policy of our company. If
 +
you think that blocked e-mail is important, please ask system
 +
administrators for unlocking e-mail with next reference number:
 +
        %s
 +
 +
----------------------------------------------------------------
 +
CHECK LOG:
 +
 +
%s
 +
----------------------------------------------------------------
 +
HEADERS:
 +
 +
%s
 +
----------------------------------------------------------------
 +
 +
With best regards e-mail support teams,
 +
EOH
 +
,
 +
},
 +
#---------------------------------------------------------------
 +
</pre>
 +
*2. Modify procmail's config: <code>/etc/procmailrc</code>::
 +
<pre>
 +
.......
 +
# pmf filter
 +
:0fw
 +
| /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf $LOGNAME
 +
......
 +
</pre>
 +
program <b>pmf</b> configured as filter, for <code>:0fw</code> see procmail's manual.
 +
 +
===Syslogging===
 +
 +
It's able to log event to syslog. To enable this feature add to config:
 +
<pre>
 +
# syslog!
 +
SYSLOG          =>
 +
{
 +
    ident      =>      'pmf',
 +
    logopt      =>      'cons,pid',
 +
    facility    =>      'mail',
 +
    priority    =>      'mail|warning',
 +
},
 +
</pre>
 +
That's will make syslog entries about found messages with score more then zero:
 +
<pre>
 +
Dec 17 20:02:03 kazbek pmf[12656]: Recipient: pupkin, Score: 2.000000, Filters:    2.0 pmf::DangerosHTMLtags [<IFRAME src=XXX>:BODY],
 +
Dec 17 20:02:03 kazbek pmf[12656]: Trace: from localhost.localdomain (localhost [127.0.0.1]) by uaportal.com (8.12.6p2/8.12.3) with ESMTP id iBFMCqj4085091 for <budnik@m1stereo.tv>; Thu, 16 Dec 2004 00:12:57 +0200 (EET) (envelope-from mailnews@uaportal.com)
 +
</pre>
 +
 +
===KAV daemon connectivity===
 +
Kasspersky's antivirus provided throw this module. <code>KAV.pm</code> uses socket to connect to kavdaemon. Make sure that kavdaemon started. To enable this feature:
 +
 +
*1. add to <b><code>FILTERS</code></b> section of <code>pmf.conf</code>:
 +
<pre>
 +
        'KAV'                  =>
 +
        {
 +
                SCORE  =>      100.0,
 +
                RESULT_BUFSIZE  => 1024,
 +
                SOCKET  =>      '/var/run/AvpCtl',
 +
                                                                                                                                             
 +
        },
 +
</pre>
 +
*2. modify <code>defUnix.prf</code> in antivirus installation dir:
 +
<pre>
 +
# same section with parameters for objects
 +
[Object]
 +
Names=*/var/spool/pmf;*/tmp
 +
--skipped--
 +
</pre>
 +
This is done to aviod messages like :<code>Directory XXXX wasn't included in enabled paths</code>. in log file: <code>/root/kavscan.rpt</code>

Revision as of 20:27, 6 January 2006

pmf - Procmail's MIME filter

Contents

Description

pmf is a Perl program for filtering e-mail. Program decompose e-mail into parts check each part using preinstalled filters to determine if e-mail contains forbiden attachments (like win32 executabled and script files). It use 'score' method to determine dengerous level of e-mail.

Features

  • Open Source
  • Easyest way for intergration into mail system bases on procmail localmailer
  • Available filters:
    • DangerosHTMLtags - Detects attached htmls files with potencial possibilies to execute some code by IE;
    • ForbiddenExtensions - Check for forbided extension;
    • Win32Executable - Check if file is win32 executable;
    • ZIPList - Check file list of attached ZIP-archive;
    • WhiteListFrom - exception for 'trusted' senders;
    • WhiteListTo - exception for 'smart' recipient;

Downloads

Version 0.93 (2004-12-18 16:00)

  • 1. Download: pmf-0.93.tar.bz2
  • 2. Changelog:
    • 1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols
    • 2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization)

Version 0.92 (2004-12-18 01:20)

  • 1. Download: pmf-0.92.tar.bz2
  • 2. Changelog:
    • 1. Added filters/KAV.pm - Kaspersky's Antivirus Connectivity
    • 2. Added appropriate configuration section

Version 0.91 (2004-12-17)

  • 1. Download: pmf-0.91.tar.bz2
  • 2. Changelog:
    • 1. Added syslog facility
    • 2. Added appropriate configuration section

Version 0.90 (2004-12-11)

  • 1. Download: pmf-0.90.tar.bz2
  • 2. Changelog:
    • 1. Code reengeniering of procmail-mimefilter.pl
    • 2. Flexible reconfigration throw the pmf.conf

Installation

  • 1. Download source tarball
  • 2. Check if next modules installed: 
Data::Dump
Mail::MboxParser
Digest::MD5
HTML::Parser
Archive::Zip
if this modules not installed, please visit CPAN for download required modules
  • 3. Unpack archive into /usr/local/pmf/

Configuration

  • 1. check pmf config file (modify config file for your system, modify white lists or disable some filters): /usr/local/pmf/pmf.conf: 
# Renice priority to lower (keep system more stable)
# this prevent system to load up to 110% :-)) of users processes
RENICE          =>      -9,
# path where plugins installed
FILTERS_PATH    =>      '/usr/local/pmf/filters/',
# save blocked users emails to path
SAVE_PATH       =>      '/tmp/users/',
# temporarity directory for storing body and attachemt
TEMP_PATH       =>      '/tmp/pmf/',
# filters parameters
FILTERS =>
{
        'WhiteListTo'           =>
        {
                LIST    =>      ['verem','root'],
                SCORE   =>      -100.0,
        },
        'WhiteListFrom'         =>
        {
                LIST    =>      ['bk.ru','gfk-usm.com.ua','gfk.com.ua'],
                SCORE   =>      -100.0,
        },
        'ForbiddenExtensions'   =>
        {
                LIST    =>      ['exe','com','pif','scr','bat','reg','ocx','dll','cmd','vbs','vb','cab','inf'],
                SCORE   =>      1.0,
        },
        'Win32Executable'       =>
        {
                LIST    =>      ['MZ','ELF'],
                MAX     =>      3,
                SCORE   =>      1.0,
        },
        'ZIPList'               =>
        {
                SCORE   =>      1.0,
        },
#       'KAVtest'       =>
#       {
#       },
        'DangerosHTMLtags'              =>
        {
                SCORE   =>      1.0,
        },
},
# rewrite letter
# text of header of rewrited letter
REWRITE =>
{
    HEADER      =>      <<EOH
To: %s
From: <postmaster\@m1stereo.tv>
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 8bit
Subject: [CONTENT BLOCKED]

EOH
,
# body text of rewrited letter
    BODY        =>      <<EOH
Dear %s!

Your e-mail is blocked due to security policy of our company. If
you think that blocked e-mail is important, please ask system
administrators for unlocking e-mail with next reference number:
        %s

----------------------------------------------------------------
CHECK LOG:

%s
----------------------------------------------------------------
HEADERS:

%s
----------------------------------------------------------------

With best regards e-mail support teams,
EOH
,
},
#---------------------------------------------------------------
  • 2. Modify procmail's config: /etc/procmailrc:: 
.......
# pmf filter
:0fw
| /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf $LOGNAME
......

program pmf configured as filter, for :0fw see procmail's manual.

Syslogging

It's able to log event to syslog. To enable this feature add to config: 

# syslog!
SYSLOG          =>
{
    ident       =>      'pmf',
    logopt      =>      'cons,pid',
    facility    =>      'mail',
    priority    =>      'mail|warning',
},

That's will make syslog entries about found messages with score more then zero: 

Dec 17 20:02:03 kazbek pmf[12656]: Recipient: pupkin, Score: 2.000000, Filters:    2.0 pmf::DangerosHTMLtags [<IFRAME src=XXX>:BODY],
Dec 17 20:02:03 kazbek pmf[12656]: Trace: from localhost.localdomain (localhost [127.0.0.1]) by uaportal.com (8.12.6p2/8.12.3) with ESMTP id iBFMCqj4085091 for <budnik@m1stereo.tv>; Thu, 16 Dec 2004 00:12:57 +0200 (EET) (envelope-from mailnews@uaportal.com)

KAV daemon connectivity

Kasspersky's antivirus provided throw this module. KAV.pm uses socket to connect to kavdaemon. Make sure that kavdaemon started. To enable this feature:

  • 1. add to FILTERS section of pmf.conf: 
        'KAV'                   =>
        {
                SCORE   =>      100.0,
                RESULT_BUFSIZE  => 1024,
                SOCKET  =>      '/var/run/AvpCtl',
                                                                                                                                               
        },
  • 2. modify defUnix.prf in antivirus installation dir: 
# same section with parameters for objects
[Object]
Names=*/var/spool/pmf;*/tmp
--skipped--

This is done to aviod messages like :Directory XXXX wasn't included in enabled paths. in log file: /root/kavscan.rpt

Retrieved from "http://research.m1stereo.tv/wiki/index.php/Pmf"
Personal tools