Email attachment stripping

By Bob Meyers
Email: bob1@oregonbob.com

The number of viruses that attack windows systems is incredible. Virus scanning is costly, and can't guarantee 100% safety: if you get a virus before the scanners know about it, they will let it pass.

Most viruses come in the form of email attachments. While attachments are certainly important for some email, in other situations a company may not care to receive attachments at all; for example if they are only expecting text emails, any attachment is suspect. In such cases, stripping of attachments makes sense.


Hate these ads?

Here is my simple shell script attachment stripper. Some caveats are important:

1) It is not a real filter. I have cron run it every minute. There is a statistical chance that an attachment could get past it if the recipient's pop checks and downloads the email before a 60 second interval. To minimize this chance, users can set their email program to check for new mail no less than 15 or 20 minutes. That allows a bigger window of opportunity for the scanner to do its job. It would be much better if a user could just pipe incoming email through a script like this (that can be done using procmail).

It's also possible that a large attachment could be coming in and still be writing as this script runs on it (again, procmail would eliminate that). I've never seen that happen, and this has handled a LOT of email.

2) It doesn't check all the possible high risk attachments. But I think I have included all the common, wide-spread types. The full list is around 15-20 different file types.

3) It may use more resources than some admins would like if it runs every single minute of the day. I have tried to minimize resource use by only scanning email newer than the last check. That helped a bunch over the previous version which scanned the entire spool directory, and again, using procmail would mean it would only run as email was delivered.

4) I think the binary "/usr/bin/newer" may be an add-on to SCO. But I noticed it is standard on RH 6.2. I think there is an option of the "test" binary that can check if a file mod time is newer. Yup, just checked, it option "-nt".






5) It quarantines the entire contents of the recipient's mail spool. Which means an admin would have to look through the quarantine for important emails some times. In practice I have seen this need only rare cases, like emailed orders. Amazing how much junk is in email. A much better approach would be to only cripple or clip out the attachment, and leave the rest intact.

These are a some pitfalls. But I can personally testify I have seen it do a great job at trapping viruses in the last 8 months I have been running it! The only time one got through was before I added "eml" to the list of extensions.

I'll bet some wizards could vastly improve the script. Simple things, like figuring out how to use one grep command for all the file types might improve performance significantly (egrep can, of course, search for multiple patterns in one pass, and in Perl this would be even easier).




:
# SCO Unix version
# emailvirus.sh - scan email spool for high-risk attachments
# if found - quarantine and email user, admin
#
# currently checks for 6 file types: vbs, exe, bat, js, scr, eml
# add your own as you wish below
#



start_time=`date "+%y%m%d%H%M.%S"`
scan_time=`date "+%y%m%d %H:%M:%S"`
mailspool=/usr/spool/mail
admin="admin_email_address_here"
quarantinedir=/tmp/quarantine
# watch size of this log file, it logs scans and quarantines
logfile=/tmp/emv.dat



if [ -d $quarantinedir ] ; then
  qdir=ok
else
  mkdir $quarantinedir
fi



# use logfile to track last run, see if spool file is newer before
# checking, create it if it don't exist


LOD Communications, Inc.



if [ -f $logfile ] ; then
  emv=ok
else
  touch $logfile
fi




cd $mailspool



for i in `ls`
do
  if /usr/bin/newer $i $logfile ; then



    if [ -s $i ] ; then
      echo "scan\t"$i"\t"$scan_time >> $logfile
    fi



    risk=no



    # check for high-risk attachments
    # I just grep for word "name"
    fattach=`grep -i name $i`"XXXX"



    if echo $fattach | grep -i "\.vbs" > /dev/null ; then
      risk=yes
      vdesc="visual basic"
    fi



    if echo $fattach | grep -i "\.exe"  > /dev/null ; then
      risk=yes
      vdesc="executable"
    fi



    if echo $fattach | grep -i "\.js"  > /dev/null ; then
      risk=yes
      vdesc="javascript"
    fi



    if echo $fattach | grep -i "\.bat"  > /dev/null ; then
      risk=yes
      vdesc="batch file"
    fi



    if echo $fattach | grep -i "\.eml"  > /dev/null ; then
      risk=yes
      vdesc="MS eml"
    fi



    if echo $fattach | grep -i "\.scr"  > /dev/null ; then
      risk=yes
      vdesc="screen saver"
    fi



    if [ $risk = yes ] ; then
      qfile=/tmp/quarantine/$i.$$
      mv $i $qfile
      echo -e "  "$i": \nYour email was quarantined because it contained a
possible $vdesc virus. \n\nSee System Administrator for assistance. \n\nFile
quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i
    echo "
~b $admin



$i:



Your email was quarantined because it contained a possible $vdesc.



See $admin for assistance.



File quarantined: "$qfile | mail -t -s "QUARANTINED EMAIL - $i" $i
      echo "QUARANTINE\t"$i"\t"$scan_time"\tfile\t"$qfile >> $logfile
    fi
fi
done



# revert logfile mod time back to when this process started
touch -t $start_time $logfile





# LINUX VERSION
# emailvirus.sh - scan email spool for high-risk attachments
# if found - quarantine and email a notice to user, admin
# scans and results logged to /tmp/emv.log - you might watch size of this



mailspool=3D/var/spool/mail
logfile=3D/tmp/emv.log
admin=3D"admin_email_address_here"



quarantinedir=3D/tmp/quarantine
start_time=3D`date "+%y%m%d%H%M.%S"`
scan_time=3D`date "+%y%m%d %H:%M:%S"`




if [ -d $quarantinedir ] ; then
  qdir=3Dok
else
  mkdir $quarantinedir 
fi



# use logfile to track last run, see if spool file is newer before
# checking, create it if it don't exist



if [ -f $logfile ] ; then
  emv=3Dok
else
  touch $logfile
fi



cd $mailspool



for i in `ls`
do
  if newer $i $logfile ; then
    echo $i" scanned: "$scan_time >> $logfile



    risk=3Dno
    vdesc=3D" "


  
    # check for common, high-risk attachments
    # by grepping for "name" to start with
    # gnu grep apparently requires the "-a"
    fattach=3D`grep -a -i name $i`"XXXX"


  
    if echo $fattach | grep  -i "\.vbs" > /dev/null ; then
      risk=3Dyes
      vdesc=3D"visual basic"
    fi


  
    if echo $fattach | grep  -i "\.exe"  > /dev/null ; then
      risk=3Dyes
      exe=3Dyes
      vdesc=3D"executable"
    fi


  
    if echo $fattach | grep  -i "\.js"  > /dev/null ; then
      risk=3Dyes
      js=3Dyes
      vdesc=3D"javascript"
    fi


  
    if echo $fattach | grep  -i "\.bat"  > /dev/null ; then
      risk=3Dyes
      bat=3Dyes
      vdesc=3D"batch file"
    fi


  
    if echo $fattach | grep  -i "\.eml"  > /dev/null ; then
      risk=3Dyes
      eml=3Dyes
      vdesc=3D"MS eml"
    fi


  
    if echo $fattach | grep  -i "\.scr"  > /dev/null ; then
      risk=3Dyes
      scr=3Dyes
      vdesc=3D"screen saver"
    fi



    if [ $risk =3D yes ] ; then
      qfile=3D$quarantinedir/$i.$$
      mv $i $qfile
      echo -e $i": \n\nYour email was quarantined because it contained a =
possible $vdesc virus. \n\nSee System Administrator for assistance. =
\n\nFile quarantined: "$qfile | mail -s "QUARANTINED EMAIL - $i" $i =
$admin
      echo "quarantine "$i" file: "$qfile "  "$scan_time >> $logfile
    fi
  fi
done



touch -t $start_time $logfile


Related procmail script: http://www.impsec.org/email-tools/procmail-security.html

Publish your articles, comments, book reviews or opinions here!

© December 2001 Bob Meyers All rights reserved




Comments /Unix/attachstrip.html


Mon Aug 1 17:26:41 2005: Subject:   BigDumbDinosaur
I was playing around with this script just for grins and it does work fairly well. What might work even better would be to tell sendmail (or whatever MTA is on your system) to pass each inbound message to a script like this for processing. The script could then send cleaned up messages onward to the local mail delivery agent (lmail on SCO boxes) for final processing. I haven't tried anything like that to date, but may if time permits.



Add your comments

Enter your email address for automatic notification of new posts here
(be sure to whitelist 'feedburner.com' if you use spam filtering)

Or use any RSS reader

Delivered by FeedBurner

Views for this page
Today This Week This Month This Year  Overall
44812,340 27,445

/Unix/attachstrip.html copyright December 2001 Bob Meyers All Rights Reserved

Have you tried Searching this site?

Unix/Linux/Mac OS X support by phone, email or on-site: Support Rates

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more. We appreciate comments and article submissions.

Publishing your articles here

More:
       - Administration
       - Code
       - Linux
       - Unix
       - Mail
       - Programming
       - Security




Unix/Linux Consultants

Your ad here - $24.00 yearly!

http://www.breakthru.com.au SCO (Openserver and Unixware), Unix, Solaris and Linux Consulting services including: Secure Networking Solutions; Linux based Firewalls; Backup Solutions; Secure Home to Office Network Setup; Phone, Remote and On-Site Support available - Satisfaction Guaranteed!


http://www.schewanick.com SCO Unix, Solaris, Linx (various), PHP, MySQL, Apache, uniBasic, dL4, Perl, System Administration and more....


http://www.vss3.com SCO/Caldera OpenServer, Unixware & Linux. Tarantella & Non-stop Clustering




card_image







Change Congress

Related Posts