ONLamp.com    
 Published on ONLamp.com (http://www.onlamp.com/)
 See this if you're having trouble printing code examples


Client-Side Mail Filtering with SaveMyModem

by KIVILCIM Hindistan
11/26/2003

Are you frustrated by unsolicited commercial emails (spam)? Do you receive mail faster than you can delete it? Perhaps the latest and greatest superworm has hit you hard, sending tens of the latest "Microsoft Windows patches", even though you are running a lean, mean Linux box.

While filters can help, you might spend a few hours searching for a solution only to find that most filters either need to run on the server or need to download the mails to work. If you're stuck with a narrow-band modem, this can really hurt. Is your only option to use a web-based email clients to delete mails on the server?

That's not your only choice anymore. Enrico Tassi has developed a wonderful client-side mail filter with the well-earned name SaveMyModem. Here are some of the features of SMM:

Installing SMM

To install SMM, you should download it first. SaveMyModem binaries are available from the SMM SourceForge page.

Windows installation is very easy. Just click on the exe, and the installer will do the rest for you. For Red Hat installation, download the .rpm file and install it with:

% rpm -i smm-1.0rc1-1.i386.rpm

You can use apt-get or dpkg to install SMM on Debian. If you download the .deb file:

% dpkg -i smm_1.0rc1-1_i386.deb

Otherwise, add the following lines to /etc/apt/sources.list:

deb     http://tassi.web.cs.unibo.it/debian/smm ./
deb-src http://tassi.web.cs.unibo.it/debian/smm ./

Then issue the following commands:

% apt-get update
% apt-get install smm

If you are not using Debian or Red Hat, download and compile the source code, as usual.

With SMM installed, it's time to configure it.

Configuring SMM

After starting SMM, enter Settings menu and configure a POP3 account. This window is very easy to configure, giving you three options for POP3 authentication: CLEAN, APOP (encrypted), and FALLBACK. Try APOP first, then CLEAN.

Several other settings are available. For example, you can decide how many lines of mail SMM should download for inspection or set the default bounce policy or the plug-ins directory. You have the option of bouncing emails, which will simulate the state in which your address is unavailable or your mailbox is full.

I personally do not advise to use this option for two reasons. First, spammers lie and forge return addresses, so the recipient of your bounce mail will be bogus (or worse, belong to an innocent person), so this is wasted effort and bandwidth. Second, if the recipient is really the spammer, then they will know that yours is a live address and even one with a responding user, which makes the address more valuable. If you really do want to use the bounce method, you should also set the SMTP server.

You can find the most important settings under the Plug-ins menu. Let's look at them one by one.

Now that you have configured SMM, it's time to see what it does. Click on the Connect button. While SMM connects to the POP3 server and browses your mail, you can watch what it does from the logs.

After browsing the available mail, SMM will show the Subject, From, To, and Date fields. At the beginning of the row are two circles, which look and operate like traffic lights. If a message looks like spam, according to your configuration and plug-ins, one of the lights will show red. Otherwise, they will show green. You can click on the lights to change the classification, whether to prevent an email from a colleague from being deleted or to mark a clever email that passes your filters as spam. From the window below, you can also check the content of the downloaded portion of the mail (the header and content).

When you are finished, click on Disconnect and all the red-lighted emails will be wiped from your mailbox.

This is the most basic usage of SMM. You can use it this way without bothering with any configuration, just examining your mail at the mailbox. If you want more automated spam control, it's yours for the configuring.

Detailed Configuration

Let's see what we can do against a real-world problem. Suppose that Swen, one of today's most popular worms, is abusing us. For the lucky ones who've not yet received several copies, Swen is a mass-mailing worm that warns you to make the latest Windows update, kindly included in the 145-165K email. The real problem with Swen is this attachment. For over eight weeks I received 50 to 100 150K mails, blocking my mailbox.

Let's look at the headers of these messages to find some similarities:

-----------------------------------------------------------------------
FROM: "MS Corporation Public Bulletin" <ztysfvgbczutm-juabgxjx@newsletters.net>
TO: "Customer" <customer-srcloosdc@newsletters.net>
SUBJECT: Microsoft Security Upgrade
Date: Sun, 19 Oct 2003 13:43:20 -0400  (EDT)

Microsoft Customer

This is the latest version of security update, the
"October 2003, Cumulative Patch" update which fixes
all known security vulnerabilities affecting

----------------------------------------------------------------
FROM: "Technical Bulletin" <MAILER-DAEMON@selene.host4u.net>
TO: "MS Consumer" <consumer-sarnrqnv@newsletters.net>
SUBJECT: Current Security Pack
Date: Tue, 21 Oct 2003 17:05:11 -0600

Microsoft Consumer

This is the latest version of security update, the
"October 2003, Cumulative Patch" update which eliminates
all known security vulnerabilities affecting

----------------------------------------------------------------

As we can clearly see, even though the From: and To: fields are different, the body of the mail looks alike. They both contain the phrase "Cumulative Patch." If we do a basic search from Google, with the words "Cumulative Patch virus" we easily learn that this is the Swen worm, acting as a legitimate Microsoft patch. (Swen removal is possible.)

Now it's time to configure the Inspector plug-in under the Plug-ins menu. Click Configure to be see the plug-in's configuration file of the plug-in. This file is very easy to understand. It basically consists of words and logical operands. This is where you can define and save any rules.

The first thing to do is to define a new NAMELIST with the phrase "Cumulative Patch" in it. This rule declares that the phrase occurs in the bodies of messages that can be considered worms.

NAMELIST [wormbody]=[Cumulative Patch];

Then, add a rule to the DENY [worms] line with an "or" statement to filter out messages with wormy bodies:

DENY [worms]=((SIZE   is_in [wormsize])    and
             (SUBJECT is_in [wormtitles])) or
             (BODY    is_in [wormbody])

As you can guess, when inspecting an email, Inspector will search for the usual worm sizes and subjects and then it will look for our rule which searches for "Cumulative Patch" in the mail body.

This will be enough for filtering out emails caused by the Swen worm. But suppose that one of your friends has sent an email with the phrase "Cumulative Patch" in it. SMM will filter out that mail too. Fortunately SMM gives us more than enough operands to refine the filter.

It's easy to add a directive that says that Swen's messages are always between 140 and 160k, because of the attachment. This rule is:

SIZE [sven]=140K to 160K;

The DENY rule must take this into account, so it becomes:

DENY [worms]=((SIZE   is_in [wormsize]) and (SUBJECT is_in [wormtitles])) or 
             ((BODY   is_in [wormbody]) and (SIZE    is_in [sven]));

Now, emails which are between 140-160K in size and that contain the phrase "Cumulative Patch" in their bodies will be filtered out.

Futher Configuration Ideas

If you want to configure SMM to be more effective for not only worm attacks and some basic spam, but also for every kind of unwanted mails, you should inspect SpamAssassin and configure it, though that is beyond the scope of this article.

SMM has a very nice GTK-based client, which eases things, but if you prefer the Unix admin way, it also supplies you a batch mode. After configuring SMM to your needs you can run it in batch mode, like this:

$ smm -b

It will check your mailbox with your settings and wipe unwanted mails. This may look very nice in a crontab, especially with constantly-repeated worm threats.

Conclusion

SaveMyModem is a very nice solution, for those who lack server-side protection or the bandwidth to download all the mail and filter out at client. In the most basic usage you can use it to browse emails on the server. As a bonus, this is a dual platform solution, running natively both on Linux and Windows.

KIVILCIM Hindistan works as a full time computer security consultant with a CISSP, using Linux and Free Software as weapons of choice.


Return to ONLamp.com.

Copyright © 2009 O'Reilly Media, Inc.