Client-Side Mail Filtering with SaveMyModemby KIVILCIM Hindistan
Are you frustrated by unsolicited commercial emails (spam)? Do you receive mail faster than you can delete it? Perhaps the latest and greatest superworm has hit you hard, sending tens of the latest "Microsoft Windows patches", even though you are running a lean, mean Linux box.
While filters can help, you might spend a few hours searching for a solution only to find that most filters either need to run on the server or need to download the mails to work. If you're stuck with a narrow-band modem, this can really hurt. Is your only option to use a web-based email clients to delete mails on the server?
That's not your only choice anymore. Enrico Tassi has developed a wonderful client-side mail filter with the well-earned name SaveMyModem. Here are some of the features of SMM:
- It's portable, running natively on Linux and Windows.
- It supports complex rules with logic operators (and, or, ...).
- It allows extended regular expressions.
- Rules can examine the message size to filter out large executable files.
- It allows a black list check for spammers.
- It provides an interactive mode to test and improve your rules.
- It supports a batch mode (if you trust your rules).
- It uses a UIDL database, if you use POP3's "Keep messages on server" feature.
- It supports APOP (secure POP3 authentication).
- It has a plug-in architecture, making it easy to add other mail filters and mail protocols.
- It has highly configurable bandwidth usage, so you can choose how many lines or bytes you want to download and check on each message.
- It has optional bounce messages, to simulate that your mailbox is unavailable.
- It provides multithreaded downloads to minimize the effects of slow DNS and POP3 servers.
- It allows SpamAssassin-based checks, mixing the power of SpamAssassin with SMM's lightweight bandwidth usage.
Windows installation is very easy. Just click on the exe, and the installer will do the rest for you. For Red Hat installation, download the
.rpm file and install it with:
% rpm -i smm-1.0rc1-1.i386.rpm
You can use
dpkg to install SMM on Debian. If you download the
% dpkg -i smm_1.0rc1-1_i386.deb
Otherwise, add the following lines to
deb http://tassi.web.cs.unibo.it/debian/smm ./ deb-src http://tassi.web.cs.unibo.it/debian/smm ./
Then issue the following commands:
% apt-get update % apt-get install smm
If you are not using Debian or Red Hat, download and compile the source code, as usual.
With SMM installed, it's time to configure it.
After starting SMM, enter Settings menu and configure a POP3 account. This window is very easy to configure, giving you three options for POP3 authentication: CLEAN, APOP (encrypted), and FALLBACK. Try APOP first, then CLEAN.
Several other settings are available. For example, you can decide how many lines of mail SMM should download for inspection or set the default bounce policy or the plug-ins directory. You have the option of bouncing emails, which will simulate the state in which your address is unavailable or your mailbox is full.
I personally do not advise to use this option for two reasons. First, spammers lie and forge return addresses, so the recipient of your bounce mail will be bogus (or worse, belong to an innocent person), so this is wasted effort and bandwidth. Second, if the recipient is really the spammer, then they will know that yours is a live address and even one with a responding user, which makes the address more valuable. If you really do want to use the bounce method, you should also set the SMTP server.
You can find the most important settings under the Plug-ins menu. Let's look at them one by one.
RblCheck. The first plug-in is a blacklist-based one. There are lots of lists of spammers around the Internet. This plug-in uses some of them to decide whether a message was sent by a spammer. You can configure and add your choice of blacklists.
YahooPops. This plug-in uses the YahooPop POP3 wrapper for the web-based mail service, giving you the ability to check your Yahoo! Mail with SMM.
Inspector. This is the most useful of the plug-ins. We will configure it in detail later.
SpamAssassin. SA can wipe spam totally from your mailbox, being one of the best spam filters. But, as stated before, SMM downloads only a part of each email from the POP3 server, so the total utility of SA may not be as good as when it can inspect the whole email.
Unfortunately, the SpamAssassin plug-in is not available with the Win32 port because there is no effective port of SpamAssassin to Win32. Enrico Tassi has built his own port that will, most likely, be included in the 1.0rc2 version.
Now that you have configured SMM, it's time to see what it does. Click on the Connect button. While SMM connects to the POP3 server and browses your mail, you can watch what it does from the logs.
After browsing the available mail, SMM will show the Subject, From, To, and Date fields. At the beginning of the row are two circles, which look and operate like traffic lights. If a message looks like spam, according to your configuration and plug-ins, one of the lights will show red. Otherwise, they will show green. You can click on the lights to change the classification, whether to prevent an email from a colleague from being deleted or to mark a clever email that passes your filters as spam. From the window below, you can also check the content of the downloaded portion of the mail (the header and content).
When you are finished, click on Disconnect and all the red-lighted emails will be wiped from your mailbox.
This is the most basic usage of SMM. You can use it this way without bothering with any configuration, just examining your mail at the mailbox. If you want more automated spam control, it's yours for the configuring.
Let's see what we can do against a real-world problem. Suppose that Swen, one of today's most popular worms, is abusing us. For the lucky ones who've not yet received several copies, Swen is a mass-mailing worm that warns you to make the latest Windows update, kindly included in the 145-165K email. The real problem with Swen is this attachment. For over eight weeks I received 50 to 100 150K mails, blocking my mailbox.
Let's look at the headers of these messages to find some similarities:
----------------------------------------------------------------------- FROM: "MS Corporation Public Bulletin" <email@example.com> TO: "Customer" <firstname.lastname@example.org> SUBJECT: Microsoft Security Upgrade Date: Sun, 19 Oct 2003 13:43:20 -0400 (EDT) Microsoft Customer This is the latest version of security update, the "October 2003, Cumulative Patch" update which fixes all known security vulnerabilities affecting ---------------------------------------------------------------- FROM: "Technical Bulletin" <MAILER-DAEMON@selene.host4u.net> TO: "MS Consumer" <email@example.com> SUBJECT: Current Security Pack Date: Tue, 21 Oct 2003 17:05:11 -0600 Microsoft Consumer This is the latest version of security update, the "October 2003, Cumulative Patch" update which eliminates all known security vulnerabilities affecting ----------------------------------------------------------------
As we can clearly see, even though the
To: fields are different, the body of the mail looks alike. They both contain the phrase "Cumulative Patch." If we do a basic search from
Google, with the words "Cumulative Patch virus" we easily learn that this is
the Swen worm, acting as a legitimate Microsoft patch. (Swen removal is possible.)
Now it's time to configure the Inspector plug-in under the Plug-ins menu. Click Configure to be see the plug-in's configuration file of the plug-in. This file is very easy to understand. It basically consists of words and logical operands. This is where you can define and save any rules.
The first thing to do is to define a new
NAMELIST with the
phrase "Cumulative Patch" in it. This rule declares that the phrase occurs in
the bodies of messages that can be considered worms.
NAMELIST [wormbody]=[Cumulative Patch];
Then, add a rule to the
DENY [worms] line with an "or"
statement to filter out messages with wormy bodies:
DENY [worms]=((SIZE is_in [wormsize]) and (SUBJECT is_in [wormtitles])) or (BODY is_in [wormbody])
As you can guess, when inspecting an email, Inspector will search for the usual worm sizes and subjects and then it will look for our rule which searches for "Cumulative Patch" in the mail body.
This will be enough for filtering out emails caused by the Swen worm. But suppose that one of your friends has sent an email with the phrase "Cumulative Patch" in it. SMM will filter out that mail too. Fortunately SMM gives us more than enough operands to refine the filter.
It's easy to add a directive that says that Swen's messages are always between 140 and 160k, because of the attachment. This rule is:
SIZE [sven]=140K to 160K;
DENY rule must take this into account, so it becomes:
DENY [worms]=((SIZE is_in [wormsize]) and (SUBJECT is_in [wormtitles])) or ((BODY is_in [wormbody]) and (SIZE is_in [sven]));
Now, emails which are between 140-160K in size and that contain the phrase "Cumulative Patch" in their bodies will be filtered out.
Futher Configuration Ideas
If you want to configure SMM to be more effective for not only worm attacks and some basic spam, but also for every kind of unwanted mails, you should inspect SpamAssassin and configure it, though that is beyond the scope of this article.
SMM has a very nice GTK-based client, which eases things, but if you prefer the Unix admin way, it also supplies you a batch mode. After configuring SMM to your needs you can run it in batch mode, like this:
$ smm -b
It will check your mailbox with your settings and wipe unwanted mails. This
may look very nice in a
crontab, especially with constantly-repeated worm
SaveMyModem is a very nice solution, for those who lack server-side protection or the bandwidth to download all the mail and filter out at client. In the most basic usage you can use it to browse emails on the server. As a bonus, this is a dual platform solution, running natively both on Linux and Windows.
KIVILCIM Hindistan works as a full time computer security consultant with a CISSP, using Linux and Free Software as weapons of choice.
Return to ONLamp.com.