[Esd-l] Making procmail play "nice"

Kenneth Porter shiva at sewingwitch.com
Fri Sep 26 10:26:56 PDT 2003

--On Thursday, September 25, 2003 9:54 PM -0600 Brett Glass <brett at lariat.org>

> Some of my clients who are using John's sanitizer (and are also active
> mailing list participants) are being bombarded with mass quantities of the
> Swen worm. Unfortunately, the overhead of running Procmail and Perl on so
> many huge messages is bringing the mail servers to their knees.

Not to belittle John's package (it's saved my network a bunch) but for this
kind of thing you might want to look at MIMEDefang. It's a milter that plugs
into sendmail and filters the mail before the SMTP transaction completes. The
core is written in C and uses a "multiplexor" model to distribute work to a
pool of child processes to perform the actual filtering. The children each
have a copy of Perl running your own filter using a library of MD-supplied
tests and actions. This architecture lets you easily extend the filter with
your own Perl regex's.

Here's an extract from my filter that handles dangerous file extensions:

    if (filter_bad_filename($entity)) {
        md_graphdefang_log('bad_filename', $fname, $type);

        # SWEN/GIBE filling quarantine too rapidly here, so just drop it

        #action_add_header('X-Attachment-Removed', 'yes');
        #my $result = action_quarantine($entity, "An attachment named $fname
was removed from this document as it\nconstituted a security hazard.  If you
require this document, please contact\nthe sender and arrange an alternate
means of receiving it.\n");

        #return $result

        return action_discard();

$entity is a MIME::Entity object. As you can see, I've commented out the
default quarantine action (which was just filling up disk space) and thrown
the message on the floor. I left the comments in to show some of the other
kinds of things you could potentially do.

MD can also invoke SpamAssassin (I have it discard very-high-scoring spam) and
the anti-virus product of your choice, and has default detection for SA and
popular AV's.

I initially used John's package because it was easy to install. I'm using Red
Hat 7.2 and the Red Hat sendmail packages don't enable milter, even using the
latest Rawhide SRPM. I had to tweak the package and patches to enable that,
not something for the casual mail user to attempt. I finally switched to MD
for the SpamAssassin integration, because it lets me drop a huge volume of
spam (100's/day) at the MTA, and I was planning to use SA in a gateway
configuration where this architecture works quite well.

Until Swen/Gibe, I'd say that anyone not needing a gateway filter should go
with Sanitizer. I'd still say that if you're not getting hit with a ton of
spam and viruses. But if you need to stop stuff at the MTA or need a gateway
solution, and can invest in the time to add milter to your sendmail config
(for older distros) and do a little more configuration, MD is probably a
better fit.

Note that you can also run these in series; MD catches a lot of stuff on its
way in, and then Sanitizer gets a bit more at the delivery step. You could use
MD on the gateway and Sanitizer on the local mailbox hosts.

More information about the esd-l mailing list