Antivirus / Antispam Scanning For Mail Proxy - Sept. 4, 2002

Richard Mallett, a user on the Novell public forums has come up with a short PERL script which can be used to scan incoming mail from the Mail Proxy. The concept is to point the Mail Proxy to a secondary (private) IP address on the BorderManager server, where this PERL code is listening. The PERL code scans the mail and filters according to criteria you enter, then relays the SMTP mail from there to the internal mail server. The PERL script uses a text-matching scan to find 'objectionable' (red flag) words (including file attachments) within the mail. You have to enter the red flag words yourself.

You can download the PERL code HERE. (Updated Sept. 4, 2002)

Here are the instructions for the script:

Written by RPD Mallett, Vine Micros Ltd
Sept. 27, 2001. Freeware.
Original sock-handling code from examples on web:
by Prof. Golden G. Richard III, Dept. of Computer Science, University of New Orleans, April 1996-March 1998.

E-Mail sending bits from Novell samples.

This is beta-test code - I make no warranties as to its suitability for any purpose as it was written by someone with only 2 days' experience in Perl. If you're not confident in running it, don't! It's a very simple Perl program, but adds a really neat function to BM. Don't run it using any other Mail Proxy, or you may get unexpected results. I've been running it for a few days now, with no problems - but that's no guarantee that it won't have them!

Its function is to act as a relay between BM's incoming-mail Mail Proxy and your internal mail server, using SMTP. It checks all incoming mail against a filter list (sys:\filtlist.txt). Enter annoying words or phrases in filtlist.txt, each on a separate line (don't add blank lines!). Only use alphanumeric characters, as some (e.g. '.') may be interpreted as Perl expressions. Put spaces either side of short words to prevent it from filtering emails with longer words that contain the shorter word. (e.g.. 'Middlesex' - a county in England - contains the word 'sex', so use ' sex ' instead, without the quotes of course). A sample filter list could be (ignore the #'s at the beginning, noting any spaces I've added, and not leaving any lines blank!):

sex
\@clinton\.com
\.vbs
nakedwife

The first example should be clear. The second is odd because Perl uses the @ and . characters for other purposes, so you have to add the backslash before them. The same for .vbs, which should filter out any Visual Basic Scripts being sent to you. The last should filter out the recent 'nakedwife' worm. Once you get to know Perl, you could do some fancy things with the filter list and various special characters.

Anything that matches is dumped to sys:\filtered.log, with a summary of why in sys:\filtword.log. It's very easy to accidentally filter a valid email, so keep an eye on the filter logs.

Instructions:

  1. Save this code to sys:\perl\scripts
  2. Make sure Perl 5 is present on your server (e.g.. as on Netware 5.0).
  3. Change the 'orac4' bit in this code to your email server's domain name.
  4. Add a secondary IP address, if there's already something on port 25.
  5. Change the IP address in this code from "\x0A\x01\x02\x04" to that IP address - in hexadecimal (mine is 10.1.2.4 in decimal).
  6. Point your Bordermanager Mail Relay to this IP address.
  7. Run this code (perl relay.pl).

Some additional info: The Perl script only filters incoming messages, coming in via SMTP from the Mail Proxy.

Point the Mail proxy to the secondary IP address of the Perl script, and point the Perl script to the GroupWise GWIA (or other internal SMTP) mail server.

Here's one way to use this technique to block spam!

It seems that if a mail relay notices mail from a known spammer (see http://www.mail-abuse.org), it adds an extra item to the mail's header:

X-RBL-Warning: (relays.mail-abuse.org)
So, adding:

relays.mail-abuse.org

to the filtlist.txt file will catch those emails and block them. I can't say for sure how accurate this is (although I have had an occasion when the 'Humanclick' service got itself on the mail-abuse list), but this morning when I came in the system had blocked 5 emails for precisely this reason, and all were the usual 'Earn Millions for nothing', etc.

Any hints or suggestions to: richard@vinemicros.com



Return to the Main Page