Pmf
From M1Research
(→Downloads) |
|||
(6 intermediate revisions not shown) | |||
Line 18: | Line 18: | ||
===Downloads=== | ===Downloads=== | ||
<b>Version 0.93 (2004-12-18 16:00)</b> | <b>Version 0.93 (2004-12-18 16:00)</b> | ||
- | * | + | *Download: <code>[{{SERVER}}/downloads/pmf/pmf-0.93.tar.bz2 pmf-0.93.tar.bz2]</code> |
- | * | + | *Changelog: |
**1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols | **1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols | ||
**2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization) | **2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization) | ||
<b>Version 0.92 (2004-12-18 01:20)</b> | <b>Version 0.92 (2004-12-18 01:20)</b> | ||
- | * | + | *Download: <code>[{{SERVER}}/downloads/pmf/pmf-0.92.tar.bz2 pmf-0.92.tar.bz2]</code> |
- | * | + | *Changelog: |
**1. Added <code>filters/KAV.pm</code> - Kaspersky's Antivirus Connectivity | **1. Added <code>filters/KAV.pm</code> - Kaspersky's Antivirus Connectivity | ||
**2. Added appropriate configuration section | **2. Added appropriate configuration section | ||
<b>Version 0.91 (2004-12-17)</b> | <b>Version 0.91 (2004-12-17)</b> | ||
- | * | + | *Download: <code>[{{SERVER}}/downloads/pmf/pmf-0.91.tar.bz2 pmf-0.91.tar.bz2]</code> |
- | * | + | *Changelog: |
**1. Added syslog facility | **1. Added syslog facility | ||
**2. Added appropriate configuration section | **2. Added appropriate configuration section | ||
<b>Version 0.90 (2004-12-11)</b> | <b>Version 0.90 (2004-12-11)</b> | ||
- | * | + | *Download: <code>[{{SERVER}}/downloads/pmf/pmf-0.90.tar.bz2 pmf-0.90.tar.bz2]</code> |
- | * | + | *Changelog: |
**1. Code reengeniering of procmail-mimefilter.pl | **1. Code reengeniering of procmail-mimefilter.pl | ||
**2. Flexible reconfigration throw the pmf.conf | **2. Flexible reconfigration throw the pmf.conf | ||
Line 194: | Line 194: | ||
===Troubleshooting=== | ===Troubleshooting=== | ||
- | + | <b>Q.</b> <i>Nohing works, whats going on?</i> | |
- | + | <b>A.</b>Step by step diag procedure: | |
- | + | *1. Check if filter could be started: | |
<pre> | <pre> | ||
/usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname | ||
</pre> | </pre> | ||
If filter starts and waits for input - that's OK, If you got warn messages, inspect messages, that could be messages about required Perl's modules for plugin startup or config file warning (config file has Perl syntax and <code>pmf</code> use <code>eval</code> function for loading config). | If filter starts and waits for input - that's OK, If you got warn messages, inspect messages, that could be messages about required Perl's modules for plugin startup or config file warning (config file has Perl syntax and <code>pmf</code> use <code>eval</code> function for loading config). | ||
- | + | ||
+ | *2. Check filter running. If you have mail file (standart unix mbox) at some location - try to run filter manualy: | ||
<pre> | <pre> | ||
cat /tmp/test-e-mail-1 | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname > /tmp/test-e-mail-1.filtered | cat /tmp/test-e-mail-1 | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname > /tmp/test-e-mail-1.filtered | ||
</pre> | </pre> | ||
If you got warn messages during processing see previous step. In no messages given to stderr look into the <code>/tmp/test-e-mail-1.filtered</code>. Filter appends to header block own headers: | If you got warn messages during processing see previous step. In no messages given to stderr look into the <code>/tmp/test-e-mail-1.filtered</code>. Filter appends to header block own headers: | ||
+ | <pre> | ||
.......... | .......... | ||
Subject: TEST2 | Subject: TEST2 | ||
Line 231: | Line 233: | ||
.......... | .......... | ||
</pre> | </pre> | ||
- | Headers <code>X-pmf-*</code> could be usefull to detect what filter found. In examples above it's could be seen that that first message is 'clear' and next message is forced to be clear using white list filter. | + | |
+ | *3. Headers <code>X-pmf-*</code> could be usefull to detect what filter found. In examples above it's could be seen that that first message is 'clear' and next message is forced to be clear using white list filter. | ||
===Licence=== | ===Licence=== |
Latest revision as of 15:13, 7 January 2006
pmf - Procmail's MIME filter
Contents |
Description
pmf is a Perl program for filtering e-mail. Program decompose e-mail into parts check each part using preinstalled filters to determine if e-mail contains forbiden attachments (like win32 executabled and script files). It use 'score' method to determine dengerous level of e-mail.
Features
- Open Source
- Easyest way for intergration into mail system bases on procmail localmailer
- Available filters:
DangerosHTMLtags
- Detects attached htmls files with potencial possibilies to execute some code by IE;ForbiddenExtensions
- Check for forbided extension;Win32Executable
- Check if file is win32 executable;ZIPList
- Check file list of attached ZIP-archive;WhiteListFrom
- exception for 'trusted' senders;WhiteListTo
- exception for 'smart' recipient;
Downloads
Version 0.93 (2004-12-18 16:00)
- Download:
pmf-0.93.tar.bz2
- Changelog:
- 1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols
- 2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization)
Version 0.92 (2004-12-18 01:20)
- Download:
pmf-0.92.tar.bz2
- Changelog:
- 1. Added
filters/KAV.pm
- Kaspersky's Antivirus Connectivity - 2. Added appropriate configuration section
- 1. Added
Version 0.91 (2004-12-17)
- Download:
pmf-0.91.tar.bz2
- Changelog:
- 1. Added syslog facility
- 2. Added appropriate configuration section
Version 0.90 (2004-12-11)
- Download:
pmf-0.90.tar.bz2
- Changelog:
- 1. Code reengeniering of procmail-mimefilter.pl
- 2. Flexible reconfigration throw the pmf.conf
Installation
- 1. Download source tarball
- 2. Check if next modules installed:
Data::Dump Mail::MboxParser Digest::MD5 HTML::Parser Archive::Zipif this modules not installed, please visit CPAN for download required modules
- 3. Unpack archive into
/usr/local/pmf/
Configuration
- 1. check pmf config file (modify config file for your system, modify white lists or disable some filters):
/usr/local/pmf/pmf.conf
:
# Renice priority to lower (keep system more stable) # this prevent system to load up to 110% :-)) of users processes RENICE => -9, # path where plugins installed FILTERS_PATH => '/usr/local/pmf/filters/', # save blocked users emails to path SAVE_PATH => '/tmp/users/', # temporarity directory for storing body and attachemt TEMP_PATH => '/tmp/pmf/', # filters parameters FILTERS => { 'WhiteListTo' => { LIST => ['verem','root'], SCORE => -100.0, }, 'WhiteListFrom' => { LIST => ['bk.ru','gfk-usm.com.ua','gfk.com.ua'], SCORE => -100.0, }, 'ForbiddenExtensions' => { LIST => ['exe','com','pif','scr','bat','reg','ocx','dll','cmd','vbs','vb','cab','inf'], SCORE => 1.0, }, 'Win32Executable' => { LIST => ['MZ','ELF'], MAX => 3, SCORE => 1.0, }, 'ZIPList' => { SCORE => 1.0, }, # 'KAVtest' => # { # }, 'DangerosHTMLtags' => { SCORE => 1.0, }, }, # rewrite letter # text of header of rewrited letter REWRITE => { HEADER => <<EOH To: %s From: <postmaster\@m1stereo.tv> Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 8bit Subject: [CONTENT BLOCKED] EOH , # body text of rewrited letter BODY => <<EOH Dear %s! Your e-mail is blocked due to security policy of our company. If you think that blocked e-mail is important, please ask system administrators for unlocking e-mail with next reference number: %s ---------------------------------------------------------------- CHECK LOG: %s ---------------------------------------------------------------- HEADERS: %s ---------------------------------------------------------------- With best regards e-mail support teams, EOH , }, #---------------------------------------------------------------
- 2. Modify procmail's config:
/etc/procmailrc
::
....... # pmf filter :0fw | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf $LOGNAME ......
program pmf configured as filter, for :0fw
see procmail's manual.
Syslogging
It's able to log event to syslog. To enable this feature add to config:
# syslog! SYSLOG => { ident => 'pmf', logopt => 'cons,pid', facility => 'mail', priority => 'mail|warning', },
That's will make syslog entries about found messages with score more then zero:
Dec 17 20:02:03 kazbek pmf[12656]: Recipient: pupkin, Score: 2.000000, Filters: 2.0 pmf::DangerosHTMLtags [<IFRAME src=XXX>:BODY], Dec 17 20:02:03 kazbek pmf[12656]: Trace: from localhost.localdomain (localhost [127.0.0.1]) by uaportal.com (8.12.6p2/8.12.3) with ESMTP id iBFMCqj4085091 for <budnik@m1stereo.tv>; Thu, 16 Dec 2004 00:12:57 +0200 (EET) (envelope-from mailnews@uaportal.com)
KAV daemon connectivity
Kasspersky's antivirus provided throw this module. KAV.pm
uses socket to connect to kavdaemon. Make sure that kavdaemon started. To enable this feature:
- 1. add to
FILTERS
section ofpmf.conf
:
'KAV' => { SCORE => 100.0, RESULT_BUFSIZE => 1024, SOCKET => '/var/run/AvpCtl', },
- 2. modify
defUnix.prf
in antivirus installation dir:
# same section with parameters for objects [Object] Names=*/var/spool/pmf;*/tmp --skipped--
This is done to aviod messages like :Directory XXXX wasn't included in enabled paths
. in log file: /root/kavscan.rpt
Troubleshooting
Q. Nohing works, whats going on? A.Step by step diag procedure:
- 1. Check if filter could be started:
/usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname
If filter starts and waits for input - that's OK, If you got warn messages, inspect messages, that could be messages about required Perl's modules for plugin startup or config file warning (config file has Perl syntax and pmf
use eval
function for loading config).
- 2. Check filter running. If you have mail file (standart unix mbox) at some location - try to run filter manualy:
cat /tmp/test-e-mail-1 | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf fooname > /tmp/test-e-mail-1.filtered
If you got warn messages during processing see previous step. In no messages given to stderr look into the /tmp/test-e-mail-1.filtered
. Filter appends to header block own headers:
.......... Subject: TEST2 X-pmf-About: pmf-0.9, see http://research.m1stereo.tv/verem/pmf X-pmf-Score: -100 X-pmf-Status: No X-pmf-Log: *-100.0 pmf::WhiteListTo [fooname] ..........
or
.......... Subject: No subject X-source-ip: 141.84.69.19 Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_QETB1FCXFQQMYJ0CCJD0" X-pmf-About: pmf-0.9, see http://research.m1stereo.tv/verem/pmf X-pmf-Score: -99 X-pmf-Status: No X-pmf-Log: *-100.0 pmf::WhiteListTo [fooname] * 1.0 pmf::ForbiddenExtensions [ziparchive|elka.zip/elka.exe] * 1.0 pmf::ZIPList [elka.zip] ..........
- 3. Headers
X-pmf-*
could be usefull to detect what filter found. In examples above it's could be seen that that first message is 'clear' and next message is forced to be clear using white list filter.
Licence
Procmail's MIME Filter filter to detect unnessaries or dangerous attachments Copyright (C) 2004 Maksym Veremeyenko. Contributed by Maksym Veremeyenko, verem@m1stereo.tv, 2004. Procmail's MIME Filter is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. Procmail's MIME Filter is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with Procmail's MIME Filter; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA