Feature:
PERL-ing out spam

Seamus Phan , 1-Jun-2002

Need a quick-and-dirty tool to install on the mail gateway that protects it against spammers?

Recently, I redicovered the usefulness of code snippets like Perl ESMTPD (perl-esmtpd.sourceforge.net), VBSfilter (aeschi.ch.eu.org/milter) and Batemail (batemail.sourceforge.net). They have various functions, including extension filtering and regex (regular expression) filtering. Extension filtering is similar to a over-simplistic antivirus mechanism, which examines attachments and deletes or rejects e-mail with attachments ending with one or more of the banned extension list. Regex filtering is useful in filtering out e-mail with banned expressions, such as those from spammers.

By combining the functionality of these code snippets, it is possible to make a simplistic antivirus and e-mail content filtering add-on to your sendmail (www.sendmail.org) server. Of course, my disclaimer to you is that this is way too simplistic, and there are performance issues if you are running a large network with a single mail server, and there are ways to crack the software (and IÕm not telling). Instead, this could be a useful starting point to your network defence, or you could add it to enhance your overall protection. Best of all, it is free as all three code snippets are open source.

Combine and conquer

The Perl ESMTPD script is primarily used for regex, while the VBSfilter and Batemail scripts are used for MIME filtering.

Sometime back, my Unix-guru colleague Danny and I worked on some scripts and managed to combine the functions of ESMTPD and Batemail, creating an external user configurable text file so that administrators can easily telnet into the mail server and change the parameters.

The syntax of the esmtpd.config file is as follows (remember to remove my parentheses in real-world use):

- myname mail.yourcompany.com (your mail domain)
- interface 192.179.0.1 (your mail server IP address)
- mailer /usr/local/sbin/sendmail (your sendmail directory)
- logfile /var/maillog/esmtpd.log (where your logfiles will be placed)
- noticefile /etc/mail/esmtpd.notice (the notice to append to e-mail)
- relaypw none (add a password if you need one)
- ocalnames /etc/mail/local-host-names (check against local host names)
- relayfor 192.179.0.1 (your IP range or accepted host)
- relayfor 127.0.0.1
- maxlinecheck 65 (how many lines of text to check for spam)
- regex xxx (add banned words or phrases)
- mimetaboo xxx (add banned MIME extensions here)

This script will work with the most current sendmail versions, such as 8.12.x and above. The more current versions will have fixed more bugs in earlier versions.

A point to note: in the definition ÒmaxlinecheckÓ, Danny and I discovered that performance degrades drastically when attachments made visible as plain text, such as huge Adobe Acrobat files, entered the mail server.

The esmtpd.notice is a simple text file that appends to e-mail that has banned MIME attachments removed. Rather than silently sending stripped e-mail to recipients, we decided that it is courteous and right to inform the recipient. In our particular file, we have only one line below, but you can customise your esmtpd.notice file to display as much appended text as you like, such as:

NOTICE: This banned attachment has been deleted by the server.

MIME hitlist

To understand what are the kinds of extensions that we must ban, and some others we may want to ban to reduce bandwidth utilisation, we need to examine MicrosoftÕs list first.

Microsoft (support.microsoft.com/ support/kb/articles/Q262/6/17.asp) has considered these extensions as dangerous, and it is often wise to block out these extensions whenever possible, including: .ade, .adp, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .hta, .inf, .ins, .isp, .js, .jse, .lnk, .mdb, .mde, .msc, .msi, .msp, .mst, .pcd, .pif, .reg, .scr, .sct, .shs, .shb, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, and so on.

Additional MIME extensions you may want to block, to prevent users on your network from wasting precious bandwidth, include multimedia files such as: .mov, .mpg or .mpeg, .mp3 and others. These files are usually harmless, although some baddies have reconstructed .mp3 as malware.

The final version of our Perl script has the syntax of defining banned MIME attachments as:

- mimetaboo com (for singular banned MIME attachment)
- mimetaboo ba[st]* (matches both .bas and .bat MIME attachments)

The REGEX list

REGEX is common in Perl scripts, and can be used in your filtering script to block out spam, or unwanted e-mail. It is extremely English-like, and defined with a single ÒREGEXÓ per line. Some examples include:

- regex script language=JavaScript (to block out JS execution in e-mail)
- regex @eudoramail.com (a frequent faked spammer from field)
- regex 100% proven and guaranteed (another common spammer ÒpromiseÓ)
- regex below is the result of your feedback form (a common CGI exploit result)
- regex bta.net.cn (common faked from domain)
- regex btamail.net.cn (a variant of the above)
- regex height=Ó1Ó width=Ó1Ó (part of a Òweb bugÓ HTML e-mail)
- regex http://.*.tripod.com (wildcard match of common domain used by spammers)
- regex if you have received this in error (fake removal notice from spammers)
- regex live XXX action (common pornographic phrase)
- regex removeregister.com (common fake removal domain)
- regex Subject: ADV: (common subject heading for spam)

Note that the REGEX function here is not case-sensitive, and so will match any single word, or phrase you input into the script. The advantage of the REGEX definition is that you can use wildcard definitions for more inclusive input without using up more lines, since Perl scripts are not compiled and must run line by line.

Running the script

First of all, this script will run before sendmail to intercept incoming and outgoing mail for possible malware.

Your sendmail.cf (configuration) file needs some minor change at the end, to change procmail to esmtpd. Below is a simple example (but please do read the OÕReillyÕs Sendmail book, available from Amazon.com for more details):

#
# Common code to add local domain name (only if always-add-domain)
#
SAddDomain=50
Mlocal,
P=/usr/local/sbin/esmtpd, F=lsDFMAw5:/|@qSPfhn9, S=EnvFromL/HdrFromL, R=EnvToL/HdrToL,
T=DNS/RFC822/X-Unix,
A=procmail -Y -a $h -d $u
Mprog,
P=/usr/sbin/smrsh,
F=lsDFMoqeu9,
S=EnvFromL/HdrFromL, R=EnvToL/HdrToL, D=$z:/,
T=X-Unix/X-Unix/X-Unix,
A=smrsh -c $u

Once your sendmail.cf file is configured to run esmtpd instead of procmail, find out the PID (process ID) of sendmail and run a terminal application. Start by typing ps -ax | grep sendmail, and note the number. Then type kill , hit Return, and type killall -1 inetd, which will activate the ESMTPD script to run and intercept all incoming and outgoing e-mail before sendmail receives them.

Should you need to reset your mail transfer back to sendmail, or you need to take down the ESMTPD script for maintenance or improvements, reverse the process by:

killall -1 inetd
/usr/local/sbin/ sendmail -bd -q30m (or whatever directory your sendmail sits in).

Not cure-all

This is a simple example of how simple open source code can be harnessed to good effect.

It also showed how Perl and PHP can be customised and adapted to suit complex demands in network management. This script will not cure all malware entering our networks, but it sure beats not having it at all.

And yes, do get a proper antivirus mechanism in place as well, either before your mail server, or on all desktops. This script can also serve as a simple spam filtering mechanism without running the MIME banning part.