From: David Harel (hareldvd_at_nonexisting.hamakor.org.il)
Date: Thu 10 Jun 2004 - 11:30:02 IDT
Hi,
Kovriga, Gregory wrote:
>Hi,
>couldn't you get the same logging capabilities by closing outgoing SMTP
>connections (using iptables) for users other than "smtp" and relaying
>all applications through the local smtp daemon ?
>
>
Thank you very much for your comment.
I don't understand your suggestion though.
My solution is a little more than logging operation. Its intention is to
give the user enough information - live so the user can find a worm
process when it is in action and thereafter try to get rid of it. As I
see it, the user must be involved in the process. I don't understand
then how would the centralized local smtp daemon figure out if the smtp
operation is legitimate, due to the users request, or illegal, due to a
worm activity.
>Thanks,
>Gregory.
>
>-----Original Message-----
>From: linux-il-bounce_at_cs.huji.ac.il
>[mailto:linux-il-bounce_at_cs.huji.ac.il] On Behalf Of Tzahi Fadida
>Sent: Thursday, June 10, 2004 3:18 AM
>To: 'David Harel'; 'Linux-IL mailing list'
>Subject: RE: My initiative to detect worms that send spam
>
>I think it's a nice idea.
>Might I suggest a similar solution that seems to me more airtight.
>If you already have access to the smtp machine you might consider
>filtering all newly arriving mails to a temorary folder and your warning
>email that you send to the client will include a confirmation hypertext
>link
>were the user needs to click on it to confirm to the smtp machine
>that a human is behind this mail.
>
>Regards,
> tzahi.
>
>
>
>>-----Original Message-----
>>From: linux-il-bounce_at_cs.huji.ac.il
>>[mailto:linux-il-bounce_at_cs.huji.ac.il] On Behalf Of David Harel
>>Sent: Wednesday, June 09, 2004 11:55 PM
>>To: Linux-IL mailing list
>>Subject: My initiative to detect worms that send spam
>>
>>
>>Hi,
>>
>>Some time ago I asked this group about an idea of mine to track smtp
>>activity.
>>The reason I want to do so is that a while ago I was suspected of
>>sending spam messages. Knowing that I would never do such a thing I
>>assumed I got infected with some kind of a worm. (I understand that
>>there are some worms that work on Linux).
>>While thinking it over, I remembered a friend of mine who works in
>>Cyprus. He told me about a service the credit card companies
>>have. When
>>your credit is charged you get an SMS on your cell phone. So
>>now I send
>>a message to the user every time an outgoing smtp connection is made.
>>The user should know if the warning he got is due to his
>>initiation of
>>sending an e-mail or else...
>>
>>So finally I implemented it calling it warnsmtpd. That is it'
>>runs as a
>>daemon. It is now running on my machine - basically a RH 9
>>machine. It
>>is using information from /proc directory. More specifically,
>>I detect
>>smtp communication from /proc/net/tcp (should I look into UDP
>>also?) on
>>remote_port 0019 (25) and correlate the inum to the fd link file in
>>/proc/XXXX/fd/...(one of them is a symlink to "socket:[INUM]"). With
>>that I write warning print like:
>>
>>The program /usr/local/mozilla/mozilla-bin pid 15914
>> sends SMTP message using tcp Protocol to
>> Remote_Address 212.117.129.230
>>
>>
>>
>>The program detects if you got X11 running (again looking for
>>processes
>>in /proc but this time looking for the file cmdline) . In
>>that case it
>>will use xmessage to send you the warning. otherwise it sends the
>>message to /dev/console.
>>
>>If this solution is worthwhile, I want your help to make it a
>>GPL package. Even though I call this program version 0.1.0' I
>>consider it as merely
>>the first draft.
>>I want to get your comments about everything including necessity,
>>style, portability.
>>
>>You can get this program from:
>>ftp://hareldvd@www.ergolight-sw.com/WarnSMTP-0.1.0.tar.gz
>>Unfortunately, you will need a password: warnsmtp
>>
>>The file you need to compile is in /usr/src/WarnSMTP-0.1.0. I did not
>>put in a Makefile in because simple compilation is all it currently
>>need. (no ./configure , no portability )After compilation, put
>>warnsmtpd in /usr/local/bin if you like. I also added the
>>startup script
>>in /etc/init.d and a launching script in /usr/local/bin which assume
>>warnsmtpd is in /usr/local/bin
>>
>>
>>--
>>Thanks.
>>
>>David Harel,
>>
>>==================================
>>
>>Home office +972 4 6921986
>>Fax: +972 4 6921986
>>Cellular: +972 54 4534502
>>Snail Mail: Amuka
>> D.N Merom Hagalil
>> 13802
>> Israel
>>Email: hareldvd_at_ergolight-sw.com
>>
>>
>>
>>=================================================================
>>To unsubscribe, send mail to linux-il-request_at_linux.org.il
>>with the word "unsubscribe" in the message body, e.g., run
>>the command echo unsubscribe | mail linux-il-request_at_linux.org.il
>>
>>
>>
>>
>>
>
>
>
>======================
>To unsubscribe, send mail to linux-il-request_at_linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request_at_linux.org.il
>
>
>
>===============================================================
>To unsubscribe, send mail to linux-il-request_at_linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request_at_linux.org.il
>
>
>
>
--
Thanks.
David Harel,
==================================
Home office +972 4 6921986
Fax: +972 4 6921986
Cellular: +972 54 4534502
Snail Mail: Amuka
D.N Merom Hagalil
13802
Israel
Email: hareldvd_at_ergolight-sw.com
=================================================================
To unsubscribe, send mail to linux-il-request_at_linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request_at_linux.org.il
This archive was generated by hypermail 2.1.7 : Thu 10 Jun 2004 - 11:42:11 IDT