Re: Traffic Monitoring

[Jesse Lep <jlepich () pcrmc com>]

In-Reply-To: <20030508013127.B15305 () evita devdas geek>

GFI's mail essentials will write all inbound and outbound email to a .mdb 
file for later review. It will also do contect filtering by word or phrase.

-Jesse

> Received: (qmail 15474 invoked from network); 7 May 2003 20:06:21 -0000
> Received: from honor.trusecure.com (HELO honor.icsalabs.com) 
(63.170.221.131)
>  by mail.securityfocus.com with SMTP; 7 May 2003 20:06:21 -0000
> Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1])
>       by honor.icsalabs.com (Postfix) with ESMTP
>       id 9C1CD7378; Wed,  7 May 2003 15:57:24 -0400 (EDT)
> Delivered-To: firewall-wizards () honor icsalabs com
> Received: from mx01.nfr.com (mx01.nfr.com [63.91.45.135])
>       by honor.icsalabs.com (Postfix) with ESMTP id A293E72F2
>       for <firewall-wizards () honor icsalabs com>; Wed,  7 May 2003 
15:51:20 -0400 (EDT)
> Received: by mx01.nfr.com (Postfix)
>       id 545AE222673; Wed,  7 May 2003 16:03:11 -0400 (EDT)
> Delivered-To: firewall-wizards () nfr com
> Received: from localhost (localhost.nfr.com [127.0.0.1])
>       by mx01.nfr.com (Postfix) with ESMTP id 32D2A222757
>       for <firewall-wizards () nfr com>; Wed,  7 May 2003 16:03:11 -0400 
(EDT)
> Received: from dvb.homelinux.org (unknown [202.88.170.34])
>       by mx01.nfr.com (Postfix) with ESMTP id 37128222673
>       for <firewall-wizards () nfr com>; Wed,  7 May 2003 16:03:07 -0400 
(EDT)
> Received: by dvb.homelinux.org (Postfix, from userid 500)
>       id F309C340CD; Thu,  8 May 2003 01:31:27 +0530 (IST)
> From: Devdas Bhagat <devdas () dvb homelinux org>
> To: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Traffic Monitoring
> Message-ID: <20030508013127.B15305 () evita devdas geek>
> Reply-To: Devdas Bhagat <devdas () dvb homelinux org>
> Mail-Followup-To: firewall-wizards () nfr com
> References: <001901c3138b$8a983a80$1700000a () expert com>
> Mime-Version: 1.0
> Content-Type: text/plain; charset=iso-8859-1
> Content-Disposition: inline
> Content-Transfer-Encoding: 8bit
> User-Agent: Mutt/1.2.5.1i
> In-Reply-To: <001901c3138b$8a983a80$1700000a () expert com>; from 
zahid () expertsystems net on Tue, May 06, 2003 at 09:54:13AM +0500
> X-Virus-Scanned: by AMaViS perl-11
> Sender: firewall-wizards-admin () honor icsalabs com
> Errors-To: firewall-wizards-admin () honor icsalabs com
> X-BeenThere: firewall-wizards () honor icsalabs com
> X-Mailman-Version: 2.0.11
> Precedence: bulk
> List-Help: <mailto:firewall-wizards-request () honor icsalabs com?
subject=help>
> List-Post: <mailto:firewall-wizards () honor icsalabs com>
> List-Subscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards>,
>       <mailto:firewall-wizards-request () honor icsalabs com?
subject=subscribe>
> List-Id: Firewall Wizards Security Mailing List <firewall-
wizards.honor.icsalabs.com>
> List-Unsubscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards>,
>       <mailto:firewall-wizards-request () honor icsalabs com?
subject=unsubscribe>
> List-Archive: <http://honor.icsalabs.com/pipermail/firewall-wizards/>
> X-Original-Date: Thu, 8 May 2003 01:31:27 +0530
> Date: Thu, 8 May 2003 01:31:27 +0530
>
> On 06/05/03 09:54 +0500, Zahid Ahmad Khan wrote:
> > Hi,
> >  
> > A research organization has asked me to look at an interesting
> > situation. They are paranoid about pilferage of research work and want
> > to monitor and log all email traffic (Vectors and contents of POP, SMTP
> > & IMAP). They require the following:
> >  
> > 1) Log all in and out bound emails (All employees have been duly
> > informed of the fact).
> > 2) Generate email vector logs.
> > 3) Flag and stop any email with unauthorized contents.
> > 4) Only interested in traffic on the WAN and Internet interface (E-1,
> > E-3, OC-3, POS)
> > 5) Do not want to log or see any internal traffic which might be contain
> > sensitive R&D info.
> >  
> > I was thinking of putting together a system using pcap for capturing
> > traffic and using/developing an analysis reporting engine. Due to the
> Too complex. Work on the protocol level here.
> Most mail servers will let you make an automatic bcc transparently.
> (always_bcc = add@ress with Postfix).
>
> Your mail may be in any format, text, HTML, base64 encoded, obfuscated
> HTML, uuencoded, pgp|gpg|s/mime encrypted.
> Your parser will have to deal with this. Except for the encrypted part,
> I would suggest using amavis/amavisd-new to handle this. The MIME
> handling in amavisd is good. This only leaves you to modify it to
> identify banned words, and quarantine/redirect those messages.
>
> The only modification I can think of is a modification of the banned
> filename routine to see the banned words/phrases in body of the email
> itself. You might wish to modify the SpamAssassin plugin keywords to
> suit the requirements of this client so that a simple word match that
> may occur in normal usage should not be quarantined, but a sufficiently
> high number of matches triggers a quarantine.
>
> I hope this helps a bit.
>
> Devdas Bhagat
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards