We no longer offer ftp downloads. If there is a file you need referenced here, please contact me by email and I will get it to you.
The number of viruses that attack windows systems is incredible. Virus scanning is costly, and can't guarantee 100% safety: if you get a virus before the scanners know about it, they will let it pass.
Most viruses come in the form of email attachments. While attachments are certainly important for some email, in other situations a company may not care to receive attachments at all; for example if they are only expecting text emails, any attachment is suspect. In such cases, stripping of attachments makes sense.
Here is my simple shell script attachment stripper. Some caveats are important:
1) It is not a real filter. I have cron run it every minute. There is a statistical chance that an attachment could get past it if the recipient's pop checks and downloads the email before a 60 second interval. To minimize this chance, users can set their email program to check for new mail no less than 15 or 20 minutes. That allows a bigger window of opportunity for the scanner to do its job. It would be much better if a user could just pipe incoming email through a script like this (that can be done using procmail).
It's also possible that a large attachment could be coming in and still be writing as this script runs on it (again, procmail would eliminate that). I've never seen that happen, and this has handled a LOT of email.
2) It doesn't check all the possible high risk attachments. But I think I have included all the common, wide-spread types. The full list is around 15-20 different file types.
3) It may use more resources than some admins would like if it runs every single minute of the day. I have tried to minimize resource use by only scanning email newer than the last check. That helped a bunch over the previous version which scanned the entire spool directory, and again, using procmail would mean it would only run as email was delivered.
4) I think the binary "/usr/bin/newer" may be an add-on to SCO. But I noticed it is standard on RH 6.2. I think there is an option of the "test" binary that can check if a file mod time is newer. Yup, just checked, it option "-nt".
5) It quarantines the entire contents of the recipient's mail spool. Which means an admin would have to look through the quarantine for important emails some times. In practice I have seen this need only rare cases, like emailed orders. Amazing how much junk is in email. A much better approach would be to only cripple or clip out the attachment, and leave the rest intact.
These are a some pitfalls. But I can personally testify I have seen it do a great job at trapping viruses in the last 8 months I have been running it! The only time one got through was before I added "eml" to the list of extensions.
I'll bet some wizards could vastly improve the script. Simple things, like figuring out how to use one grep command for all the file types might improve performance significantly (egrep can, of course, search for multiple patterns in one pass, and in Perl this would be even easier).
: # SCO Unix version # emailvirus.sh - scan email spool for high-risk attachments # if found - quarantine and email user, admin # # currently checks for 6 file types: vbs, exe, bat, js, scr, eml # add your own as you wish below # start_time=`date "+%y%m%d%H%M.%S"` scan_time=`date "+%y%m%d %H:%M:%S"` mailspool=/usr/spool/mail admin="admin_email_address_here" quarantinedir=/tmp/quarantine # watch size of this log file, it logs scans and quarantines logfile=/tmp/emv.dat if [ -d $quarantinedir ] ; then qdir=ok else mkdir $quarantinedir fi # use logfile to track last run, see if spool file is newer before # checking, create it if it don't exist if [ -f $logfile ] ; then emv=ok else touch $logfile fi cd $mailspool for i in `ls` do if /usr/bin/newer $i $logfile ; then if [ -s $i ] ; then echo "scan\t"$i"\t"$scan_time >> $logfile fi risk=no # check for high-risk attachments # I just grep for word "name" fattach=`grep -i name $i`"xyzX" if echo $fattach | grep -i "\.vbs" > /dev/null ; then risk=yes vdesc="visual basic" fi if echo $fattach | grep -i "\.exe" > /dev/null ; then risk=yes vdesc="executable" fi if echo $fattach | grep -i "\.js" > /dev/null ; then risk=yes vdesc="javascript" fi if echo $fattach | grep -i "\.bat" > /dev/null ; then risk=yes vdesc="batch file" fi if echo $fattach | grep -i "\.eml" > /dev/null ; then risk=yes vdesc="MS eml" fi if echo $fattach | grep -i "\.scr" > /dev/null ; then risk=yes vdesc="screen saver" fi if [ $risk = yes ] ; then qfile=/tmp/quarantine/$i.$$ mv $i $qfile echo -e " "$i": \nYour email was quarantined because it contained a possible $vdesc virus. \n\nSee System Administrator for assistance. \n\nFile quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i echo " ~b $admin $i: Your email was quarantined because it contained a possible $vdesc. See $admin for assistance. File quarantined: "$qfile | mail -t -s "QUARANTINED EMAIL - $i" $i echo "QUARANTINE\t"$i"\t"$scan_time"\tfile\t"$qfile >> $logfile fi fi done # revert logfile mod time back to when this process started touch -t $start_time $logfile # LINUX VERSION # emailvirus.sh - scan email spool for high-risk attachments # if found - quarantine and email a notice to user, admin # scans and results logged to /tmp/emv.log - you might watch size of this mailspool=3D/var/spool/mail logfile=3D/tmp/emv.log admin=3D"admin_email_address_here" quarantinedir=3D/tmp/quarantine start_time=3D`date "+%y%m%d%H%M.%S"` scan_time=3D`date "+%y%m%d %H:%M:%S"` if [ -d $quarantinedir ] ; then qdir=3Dok else mkdir $quarantinedir fi # use logfile to track last run, see if spool file is newer before # checking, create it if it don't exist if [ -f $logfile ] ; then emv=3Dok else touch $logfile fi cd $mailspool for i in `ls` do if newer $i $logfile ; then echo $i" scanned: "$scan_time >> $logfile risk=3Dno vdesc=3D" " # check for common, high-risk attachments # by grepping for "name" to start with # gnu grep apparently requires the "-a" fattach=3D`grep -a -i name $i`"xyzX" if echo $fattach | grep -i "\.vbs" > /dev/null ; then risk=3Dyes vdesc=3D"visual basic" fi if echo $fattach | grep -i "\.exe" > /dev/null ; then risk=3Dyes exe=3Dyes vdesc=3D"executable" fi if echo $fattach | grep -i "\.js" > /dev/null ; then risk=3Dyes js=3Dyes vdesc=3D"javascript" fi if echo $fattach | grep -i "\.bat" > /dev/null ; then risk=3Dyes bat=3Dyes vdesc=3D"batch file" fi if echo $fattach | grep -i "\.eml" > /dev/null ; then risk=3Dyes eml=3Dyes vdesc=3D"MS eml" fi if echo $fattach | grep -i "\.scr" > /dev/null ; then risk=3Dyes scr=3Dyes vdesc=3D"screen saver" fi if [ $risk =3D yes ] ; then qfile=3D$quarantinedir/$i.$$ mv $i $qfile echo -e $i": \n\nYour email was quarantined because it contained a = possible $vdesc virus. \n\nSee System Administrator for assistance. = \n\nFile quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i = $admin echo "quarantine "$i" file: "$qfile " "$scan_time >> $logfile fi fi done touch -t $start_time $logfile
Related procmail script: https://www.impsec.org/email-tools/procmail-security.html
Publish your articles, comments, book reviews or opinions here!
Copyright December 2001 Bob Meyers All rights reservedGot something to add? Send me email.
More Articles by Bob Meyers © 2011-06-30 Bob Meyers
The Analytical Engine has no pretentions whatever to originate anything. It can do whatever we know how to order it to perform. (Ada Lovelace)
Mon Aug 1 17:26:41 2005: 909 BigDumbDinosaur
I was playing around with this script just for grins and it does work fairly well. What might work even better would be to tell sendmail (or whatever MTA is on your system) to pass each inbound message to a script like this for processing. The script could then send cleaned up messages onward to the local mail delivery agent (lmail on SCO boxes) for final processing. I haven't tried anything like that to date, but may if time permits.
------------------------
Printer Friendly Version
Email attachment stripping Copyright © December 2001 Bob Meyers
Have you tried Searching this site?
This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.
Contact us
Printer Friendly Version