News

March 10 2006

Update of cvgfilter.c code received from w.wijker@cvg.nl. It contains a non-trivial patch for the inclusion of the disclaimer. Outlook's way of generating message-boundaries has changed. Recent versions generate multiple nested boundaries (more Notes-like). The boundary inclusion now can have a side effect at the receiving side of the proces. Depending on patch levels attachments included in the mail may or may not be received as ATTxxxxx.txt files in the receiving outlook client. I (Wouter) recently ran into this phenomenon. This version contains a correction for this change.

September 15 2005

Update of cvgfilter.c code received from w.wijker@cvg.nl. Thanks!

February 6 2004

Update of vbsfilter.c to detect filenames encoded in quoted-printable format.

June 26 2003

Update of vbsfilter.c to drop extension "zi", reportedly now being used by a version of the Sobig virus.

January 15 2003

Add #include <sys/ioctl.h> if your system complains that TIOCNOTTY is undefined. Or download the current vbsfilter.c.

January 14 2003

Update of vbsfilter.c to correctly deal with munged headers of emails sent by the W32.Sobig virus.

June 12 2002

Ross Bergman noted that some malformed endings, for example "foo.exe." would get past the filter. Also that an attachment can have a CLSID as a file extension, again hidden by windows, and Windows will use the CLSID to determine how to open the attachment.

January 30 2002

Update vbsfilter to detect uuencoded attachments. Thanks to Matthew Wong for noting that the "MyParty" virus spreads itself in this way.

August 6 2001

Update vbsfilter to fix problems caused by empty "MAIL FROM:" lines, and for the possibility that a null body is passed. Update also the list of extensions considered "dangerous". Thanks to Sergiy Zhuk and David F. Russell.

July 25 2001

Vbsfilter updated to recognise and remove attachments with non-quoted filenames, which appear to be being sent by the SirCom virus. Problem noted and fixed by Andrea Adams. Thanks!

July 20 2001

Update of vbsfilter.c; support added to deal with arbitrary (3-character) extensions.

June 6 2001

Update of cvgfilter.c code received from wijkerw@multiweb.nl. Thanks!

July 26 2000

Contributed code received from wijkerw@multiweb.nl which adds the addition of a standard disclaimer to the footer of an outgoing message, in addition to the regular VBS/SHS filtering.

July 21 2000

Update for sendmail 8.11. Please note that the milter protocol version has been incremented between 8.10 and 8.11, due to API changes. Unfortunately this means that a V1 MTA will not talk to a V2 filter, and vice versa. V2 adds a capability negotiator, so future feature additions will not require protocol changes.

June 20 2000

Also filter for Shell Scrap attachments (.shs).

May 24 2000

New version released, to deal with the case where Outlook sends a VB script as non-mime inline message. Libmilter's API doesn't let us modify the "Content-Type:" headers, so we must simply reject the mail.

Please note that you will need to be running at least sendmail-8.10.1 for this version of vbsfilter.

Download

• Makefile
• vbsfilter-1.11.c (for 8.11.x or newer)
• vbsfilter-1.2.c (8.10.1/8.10.2 compatible)

Mail filtering with libmilter

Around the start of May this year, comp.mail.sendmail was inundated with people wanting to know how to stop the "ILOVEYOU" email worm. Here is my solution:

Sendmail 8.10 introduced a new feature called the milter library, which provides filtering callbacks to a user-level program, which in turn can provide a "Yes"/"No"/"I haven't seen enough yet" answer to the question: Can sendmail allow this mail to be delivered?

This feature is still marked as being for future release, therefore sendmail must be recompiled with special options before the milter library is available to use.

Compiling sendmail

Create (or append the following lines to) .../sendmail-8.10.*/devtools/Site/site.config.m4:

APPENDDEF(`conf_sendmail_ENVDEF', `-D_FFR_MILTER=1')
APPENDDEF(`conf_libmilter_ENVDEF', `-D_FFR_MILTER=1')

Recompile sendmail and libmilter; to be sure, remove your existing .../sendmail-8.10.*/obj.* directory and rebuild everything from scratch. Also run make inside the .../sendmail-8.10.*/libmilter directory.

Updating your sendmail.cf

The milter filter uses a network socket to listen for data from sendmail. This can be either a UNIX domain socket, or an inet socket (v4 or v6). Using an internet socket on a remote machine can be useful if the local machine doesn't support pthreads.

For those of you who build your .cf from a .mc file with m4, you must define define(`_FFR_MILTER', `1')dnl. Then the mail filter can be defined as one of the following:

INPUT_MAIL_FILTER(`filter1', `S=unix:/var/run/f1.sock, F=R')
INPUT_MAIL_FILTER(`filter2', `S=inet6:999@localhost, F=T, T=S:1s;R:1s;E:5m')
INPUT_MAIL_FILTER(`filter3', `S=inet:3333@localhost')

The first attaches to a Unix-domain socket in the /var/run directory; the second uses an IPv6 socket on port 999 of localhost, and the third uses an IPv4 socket on port 3333 of localhost. The current flags (F=) are:

If F is unspecified and the filter is unavailable, then sendmail behaves as if no filter is defined.

Finally, you can override the default timeouts used by sendmail when talking to the filters using the T= equate. There are three fields inside of the T= equate:

The filters

vbsfilter-1.11.c will rename a variety of executable attachments to .txt, thus rendering them harmless.

The Makefile to generate the binaries is from a Solaris 2.6 system. You will probably have to tweak it for other platforms. Notably, Linux libc5 machines will not be able to run the filters at all - threads support was first introduced in libc6 (glibc2).

You must also tell the filter how to rendezvous with sendmail. The -p flag should contain the same contents as that supplied to the S= flag in your .mc file, i.e. vbsfilter -p unix:/var/run/f1.sock for the filter1 example above.