Firewall Wizards mailing list archives
Re: Traffic Monitoring
From: Jesse Lep <jlepich () pcrmc com>
Date: 10 May 2003 00:32:23 -0000
In-Reply-To: <20030508013127.B15305 () evita devdas geek> GFI's mail essentials will write all inbound and outbound email to a .mdb file for later review. It will also do contect filtering by word or phrase. -Jesse
Received: (qmail 15474 invoked from network); 7 May 2003 20:06:21 -0000 Received: from honor.trusecure.com (HELO honor.icsalabs.com)
(63.170.221.131)
by mail.securityfocus.com with SMTP; 7 May 2003 20:06:21 -0000 Received: from honor.trusecure.com (localhost.localdomain [127.0.0.1]) by honor.icsalabs.com (Postfix) with ESMTP id 9C1CD7378; Wed, 7 May 2003 15:57:24 -0400 (EDT) Delivered-To: firewall-wizards () honor icsalabs com Received: from mx01.nfr.com (mx01.nfr.com [63.91.45.135]) by honor.icsalabs.com (Postfix) with ESMTP id A293E72F2 for <firewall-wizards () honor icsalabs com>; Wed, 7 May 2003
15:51:20 -0400 (EDT)
Received: by mx01.nfr.com (Postfix) id 545AE222673; Wed, 7 May 2003 16:03:11 -0400 (EDT) Delivered-To: firewall-wizards () nfr com Received: from localhost (localhost.nfr.com [127.0.0.1]) by mx01.nfr.com (Postfix) with ESMTP id 32D2A222757 for <firewall-wizards () nfr com>; Wed, 7 May 2003 16:03:11 -0400
(EDT)
Received: from dvb.homelinux.org (unknown [202.88.170.34]) by mx01.nfr.com (Postfix) with ESMTP id 37128222673 for <firewall-wizards () nfr com>; Wed, 7 May 2003 16:03:07 -0400
(EDT)
Received: by dvb.homelinux.org (Postfix, from userid 500) id F309C340CD; Thu, 8 May 2003 01:31:27 +0530 (IST) From: Devdas Bhagat <devdas () dvb homelinux org> To: firewall-wizards () nfr com Subject: Re: [fw-wiz] Traffic Monitoring Message-ID: <20030508013127.B15305 () evita devdas geek> Reply-To: Devdas Bhagat <devdas () dvb homelinux org> Mail-Followup-To: firewall-wizards () nfr com References: <001901c3138b$8a983a80$1700000a () expert com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <001901c3138b$8a983a80$1700000a () expert com>; from
zahid () expertsystems net on Tue, May 06, 2003 at 09:54:13AM +0500
X-Virus-Scanned: by AMaViS perl-11 Sender: firewall-wizards-admin () honor icsalabs com Errors-To: firewall-wizards-admin () honor icsalabs com X-BeenThere: firewall-wizards () honor icsalabs com X-Mailman-Version: 2.0.11 Precedence: bulk List-Help: <mailto:firewall-wizards-request () honor icsalabs com?
subject=help>
List-Post: <mailto:firewall-wizards () honor icsalabs com> List-Subscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards>,
<mailto:firewall-wizards-request () honor icsalabs com?
subject=subscribe>
List-Id: Firewall Wizards Security Mailing List <firewall-
wizards.honor.icsalabs.com>
List-Unsubscribe: <http://honor.icsalabs.com/mailman/listinfo/firewall-
wizards>,
<mailto:firewall-wizards-request () honor icsalabs com?
subject=unsubscribe>
List-Archive: <http://honor.icsalabs.com/pipermail/firewall-wizards/> X-Original-Date: Thu, 8 May 2003 01:31:27 +0530 Date: Thu, 8 May 2003 01:31:27 +0530 On 06/05/03 09:54 +0500, Zahid Ahmad Khan wrote:Hi, A research organization has asked me to look at an interesting situation. They are paranoid about pilferage of research work and want to monitor and log all email traffic (Vectors and contents of POP, SMTP & IMAP). They require the following: 1) Log all in and out bound emails (All employees have been duly informed of the fact). 2) Generate email vector logs. 3) Flag and stop any email with unauthorized contents. 4) Only interested in traffic on the WAN and Internet interface (E-1, E-3, OC-3, POS) 5) Do not want to log or see any internal traffic which might be contain sensitive R&D info. I was thinking of putting together a system using pcap for capturing traffic and using/developing an analysis reporting engine. Due to theToo complex. Work on the protocol level here. Most mail servers will let you make an automatic bcc transparently. (always_bcc = add@ress with Postfix). Your mail may be in any format, text, HTML, base64 encoded, obfuscated HTML, uuencoded, pgp|gpg|s/mime encrypted. Your parser will have to deal with this. Except for the encrypted part, I would suggest using amavis/amavisd-new to handle this. The MIME handling in amavisd is good. This only leaves you to modify it to identify banned words, and quarantine/redirect those messages. The only modification I can think of is a modification of the banned filename routine to see the banned words/phrases in body of the email itself. You might wish to modify the SpamAssassin plugin keywords to suit the requirements of this client so that a simple word match that may occur in normal usage should not be quarantined, but a sufficiently high number of matches triggers a quarantine. I hope this helps a bit. Devdas Bhagat _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Traffic Monitoring Zahid Ahmad Khan (May 06)
- Re: Traffic Monitoring Paul Dokas (May 07)
- Re: Traffic Monitoring Paul Robertson (May 07)
- Re: Traffic Monitoring Bill Royds (May 07)
- Re: Traffic Monitoring Rama krishna prasad (May 07)
- Re: Traffic Monitoring Paul Robertson (May 07)
- Re: Traffic Monitoring Devdas Bhagat (May 07)
- <Possible follow-ups>
- Re: Traffic Monitoring Jesse Lep (May 09)
- Re: Traffic Monitoring Paul Dokas (May 07)