next up previous contents
Next: Excessive logging and privacy Up: Reimplementing server functionality Previous: Matching the server's lost   Contents

Enhancing functionality

Although more compact and --at least to some users-- easier to understand, this example simple still does not show the power of Perl. Using a sendmail configuration file, if an administrator noticed spam coming from the domains spammer.org, spammer.net and spam4you.com, a single rule would match them all, thanks to regular expressions: 'spam.+'. However, this would also block all legitimate mail from spamstoppers.org -- this can be solved either by excluding specifically this domain with 'spam[^(stoppers)]', or by including only the three offending domains, with 'spam(4you\.org|mer\.(org|net))'. Regular expressions can become, as seen here, a bit difficult to read for the new user, but they are a great, powerful tool for the seasoned administrator.

ProtoWrap not only handles the regular expressions in order to reimplement Sendmail's functionality lost while wrapping, it also implements something else, not contemplated by Sendmail: Content inspection.

Mail-based viruses have become commonplace. They are usually very fast to spread and to damage information. They do this, however, with patterns that are very easy to find. The infamous 'I Love you' virus will be taken as an example. This virus spreads as a .VBS (Visual Basic Script) attachment to email messages, all of which have 'ILOVEYOU' as a subject. Sendmail can stop this virus with the following lines located in the sendmail.cf file:


HSubject: $>Check_Subject
D{WORMmsg}Access Denied - This message may contain a virus.

SCheck_Subject
RILOVEYOU               $#error $: 501 ${WORMmsg}
RRe: ILOVEYOU           $#error $: 501 ${WORMmsg}
RFW: ILOVEYOU           $#error $: 501 ${WORMmsg}
RRead: ILOVEYOU                 $#discard
RNot read: ILOVEYOU             $#discard
RDelivered: ILOVEYOU            $#discard
RUndeliverable: ILOVEYOU        $#discard

The steps followed are:

  1. H -- Search for something in the header. In this case, search for the string Subject:, and call this header rule Check_Subject
  2. D -- Define an answer, called WORMmsg, and the text sent to the requesting client when it is invoked.
  3. S -- Define a search. From here on, we will be talking about the line defined in step 1.
  4. R -- React to the string found by sending an error (first three R lines) or by discarding the message (last 3 R lines)
Note that no pattern matching is actually done; this is done only by exact-matching.

The same effect can be simply achieved using ProtoWrap, by adding the string '^Subject: .*ILOVEYOU' to the blockBodyList attribute. This one will, of course, catch every possible modification done by a client program (for example, prepending re:, Re:, RE:, ref:, Ref:, REF:, fw:, Fw:, FW:, etc.) -- a mounstrous task if using straight Sendmail syntax.


next up previous contents
Next: Excessive logging and privacy Up: Reimplementing server functionality Previous: Matching the server's lost   Contents
Gunnar Wolf
2001-03-12