[Tutor] parsing email

[Michael Janssen]

On Thu, 29 Jan 2004, Karl Pflästerer wrote:

> On 29 Jan 2004, Michael Janssen <- Janssen at rz.uni-frankfurt.de wrote:
>
> > when each eMail is on a single file - why not just run a virus scanner
> > about them? The virus scanner can savely delete all virus mails.
>
> A virus scanner can easily be broken by unfriendly senders; e.g. if you
> send an e-mail with a zip attachment the scanner has to unpack the
> attachment.  If you zipped a bigggggg file (some GB) of only zeros you
> have a small and nice zip file which if unzipped stops your machine (to
> make it perfekt you need a hex editor to change the header of the zip
> file so the real size can't be seen).  Or use bzip2.  Google for 42.zip.
> Furthermore a virus scanner has to know the pattern of the virus.  So a
> virus scanner gives you a false feeling of security.  And you might not
> only want to search for virus files but for every sort of UCE or UBE.

still it works for us and we are scanning 100t mail per day :-) And
seems much less worse than deleting mails by Subjects like "hello" as
used by MyDoom.

It's a pitty but both OpenSource project out there to scan mail on
server (MailScanner and amavis-new) are perl code. Would be nice to have
a python solution in the race, but it would be also a lot of work
(MailScanner has 25t lines of code and years of experience).

Simply blocking executeable Attachments could be a way to do it with
python and a reasonable amount of affort. You probably can't stop all
virus (since you can't block .doc or .zip entirely) but you can stop
many of them. You would need some kind of a ruleset with allow and deny
rules, first allowing all attachments that are Ok or can't be blocked
without angry users. Then denying executables and other nasty things
(the hard thing is to determine the complete list of nasty
filenname-extensions for Windows). Perhaps special rules with complete
filenames, when it's known that a new virus uses them.

Scanning for attachment names is a lot better then scanning Subjects,
because you wont delete legitimate mails, that doesn't even contain an
attachment (but leaves the door open for threatening html and script
code).

You probably want to delete only the attachments instead of the whole
mail and put a message in it (which should be easily done with
email.Parser and email.Generator).


Beside scanning/ blocking attachments a facility to block known virus
subjects/ bodies/ headers would be fine. But only works *after* the
admin has realized the thread and setup appropiate rules. "Rules" is the
keyword: the application need's to be rule-driffen or it would be an
endless pain to adapt it to the next viruses.

All these would be a nice not-too-big project but the problem occurs how
to do it *before* the user get their hands on the mails, ie *before* the
mails are stored in System-Inbox. On linux you can do it (inefficiently)
with procmail when you've got no better idea. I don't know how to solve
it with NT.


Michael