OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: virus-scanner for NON-sendmail
From: Ryan Permeh (RyanEEYE.COM)
Date: Tue Aug 22 2000 - 16:53:35 CDT

not that it really matters, but procmail is not a full MTA(mail transport
agent), it's a MDA(mail delivery agent). and sendmail works fine with
procmail as a MDA. procmail allows configureable shelling out to specific
processes, so in theory, if your AV software can be run from the command
line, a procmail recepie could be cooked to strip MIME parts, use a command
line mime decoder, AV the decoded mime attachment, if it passes, send the
original on, if it fails, send it to /dev/null or a trashbox that you can
check peridically.

in theory(and i don't have time and i doubt many do, this process could be
inlined into a MDA that could be distributed by the AV vendor/project. this
could operate like a drop in /bin/mail replacement or whatever, with added
AV functionality. remember this, however, your MTA(sendmail,
procmail,qmail, etc) are much more prone to a DoS attack using AV software
on the gateway. if your server receives any real mailvolume, a procmail
recipie may be a big drain on resources, and constitues a weak point where
an attacker could stop mail delivery. You may want to make certain to
choose a MTA that will allow you to queue mime messages for later delivery,
allowing you to virus check them at leisure. Sendmail has the ability to do
this by specifying rulesets and mail delivery agents with differing weights.
you could have it pass mime encoded messages to a lower priority queue. I'm
not a real procmail or qmail fanatic, so i couldn't say if it allows you to
do this or not.
Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com
----- Original Message -----
From: "Faber Fedor" <revf2INTERACTIVE.NET>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Tuesday, August 22, 2000 10:40 AM
Subject: virus-scanner for NON-sendmail

> I've been through the archives and everything you guys have mentioned
> wrt av software runs with sendmail. I think I Can modify one or two of
> them to work with procmail, but I was wonering if anyone knew of any
> non-sendmail av software before I started hacking.
>
> And no, I can't go back to sendmail; I spent a week fighting with a
> problem only to have it solved in 15 minutes after installing procmail.
> ;-)
>
> --
>
> Regards,
>
> Faber Fedor, RHCE, MCSE, MCT
> LinuxNJ.com - "Linux and Open Source solutions for New Jersey"
>