Pmf
From M1Research
pmf - Procmail's MIME filter
Contents |
Description
pmf is a Perl program for filtering e-mail. Program decompose e-mail into parts check each part using preinstalled filters to determine if e-mail contains forbiden attachments (like win32 executabled and script files). It use 'score' method to determine dengerous level of e-mail.
Features
- Open Source
- Easyest way for intergration into mail system bases on procmail localmailer
- Available filters:
DangerosHTMLtags- Detects attached htmls files with potencial possibilies to execute some code by IE;ForbiddenExtensions- Check for forbided extension;Win32Executable- Check if file is win32 executable;ZIPList- Check file list of attached ZIP-archive;WhiteListFrom- exception for 'trusted' senders;WhiteListTo- exception for 'smart' recipient;
Downloads
Version 0.93 (2004-12-18 16:00)
- 1. Download:
pmf-0.93.tar.bz2 - 2. Changelog:
- 1. Added latin-symbols-only link creation to saved attached files to prevent fail of e xternal programs to read files with non-8-bit symbols
- 2. Modified filters checking order. Now system begin to check files from filters with lowest SCORE and system stop checking after global SCORE is bigger 0.0. This could save a time to determine if mail is dengerous (a bit of optimization)
Version 0.92 (2004-12-18 01:20)
- 1. Download:
pmf-0.92.tar.bz2 - 2. Changelog:
- 1. Added
filters/KAV.pm- Kaspersky's Antivirus Connectivity - 2. Added appropriate configuration section
- 1. Added
Version 0.91 (2004-12-17)
- 1. Download: pmf-0.91.tar.bz2
- 2. Changelog:
- 1. Added syslog facility
- 2. Added appropriate configuration section
Version 0.90 (2004-12-11)
- 1. Download: pmf-0.90.tar.bz2
- 2. Changelog:
- 1. Code reengeniering of procmail-mimefilter.pl
- 2. Flexible reconfigration throw the pmf.conf
Installation
- 1. Download source tarball
- 2. Check if next modules installed:
Data::Dump Mail::MboxParser Digest::MD5 HTML::Parser Archive::Zipif this modules not installed, please visit CPAN for download required modules
- 3. Unpack archive into
/usr/local/pmf/
Configuration
- 1. check pmf config file (modify config file for your system, modify white lists or disable some filters):
/usr/local/pmf/pmf.conf:
# Renice priority to lower (keep system more stable)
# this prevent system to load up to 110% :-)) of users processes
RENICE => -9,
# path where plugins installed
FILTERS_PATH => '/usr/local/pmf/filters/',
# save blocked users emails to path
SAVE_PATH => '/tmp/users/',
# temporarity directory for storing body and attachemt
TEMP_PATH => '/tmp/pmf/',
# filters parameters
FILTERS =>
{
'WhiteListTo' =>
{
LIST => ['verem','root'],
SCORE => -100.0,
},
'WhiteListFrom' =>
{
LIST => ['bk.ru','gfk-usm.com.ua','gfk.com.ua'],
SCORE => -100.0,
},
'ForbiddenExtensions' =>
{
LIST => ['exe','com','pif','scr','bat','reg','ocx','dll','cmd','vbs','vb','cab','inf'],
SCORE => 1.0,
},
'Win32Executable' =>
{
LIST => ['MZ','ELF'],
MAX => 3,
SCORE => 1.0,
},
'ZIPList' =>
{
SCORE => 1.0,
},
# 'KAVtest' =>
# {
# },
'DangerosHTMLtags' =>
{
SCORE => 1.0,
},
},
# rewrite letter
# text of header of rewrited letter
REWRITE =>
{
HEADER => <<EOH
To: %s
From: <postmaster\@m1stereo.tv>
Content-Type: text/plain; charset="koi8-r"
Content-Transfer-Encoding: 8bit
Subject: [CONTENT BLOCKED]
EOH
,
# body text of rewrited letter
BODY => <<EOH
Dear %s!
Your e-mail is blocked due to security policy of our company. If
you think that blocked e-mail is important, please ask system
administrators for unlocking e-mail with next reference number:
%s
----------------------------------------------------------------
CHECK LOG:
%s
----------------------------------------------------------------
HEADERS:
%s
----------------------------------------------------------------
With best regards e-mail support teams,
EOH
,
},
#---------------------------------------------------------------
- 2. Modify procmail's config:
/etc/procmailrc::
....... # pmf filter :0fw | /usr/local/pmf/pmf.pl /usr/local/pmf/pmf.conf $LOGNAME ......
program pmf configured as filter, for :0fw see procmail's manual.
Syslogging
It's able to log event to syslog. To enable this feature add to config:
# syslog!
SYSLOG =>
{
ident => 'pmf',
logopt => 'cons,pid',
facility => 'mail',
priority => 'mail|warning',
},
That's will make syslog entries about found messages with score more then zero:
Dec 17 20:02:03 kazbek pmf[12656]: Recipient: pupkin, Score: 2.000000, Filters: 2.0 pmf::DangerosHTMLtags [<IFRAME src=XXX>:BODY], Dec 17 20:02:03 kazbek pmf[12656]: Trace: from localhost.localdomain (localhost [127.0.0.1]) by uaportal.com (8.12.6p2/8.12.3) with ESMTP id iBFMCqj4085091 for <budnik@m1stereo.tv>; Thu, 16 Dec 2004 00:12:57 +0200 (EET) (envelope-from mailnews@uaportal.com)
KAV daemon connectivity
Kasspersky's antivirus provided throw this module. KAV.pm uses socket to connect to kavdaemon. Make sure that kavdaemon started. To enable this feature:
- 1. add to
FILTERSsection ofpmf.conf:
'KAV' =>
{
SCORE => 100.0,
RESULT_BUFSIZE => 1024,
SOCKET => '/var/run/AvpCtl',
},
- 2. modify
defUnix.prfin antivirus installation dir:
# same section with parameters for objects [Object] Names=*/var/spool/pmf;*/tmp --skipped--
This is done to aviod messages like :Directory XXXX wasn't included in enabled paths. in log file: /root/kavscan.rpt
