[Mimedefang] Re: email wire tap

Michael Mondy mike at coffeebird.net
Mon Mar 22 19:25:27 EST 2004


I've been asked the feasibility of doing something similar.  

There are also commercial products which work by snooping the
network traffic.

Previous replies in this thread have suggested using add_recipient() and
resend_message().  However, neither of these methods will preserve the
actual recipients.  That doesn't seem to meet the intent of a wiretap
effort.

Presumably, the results of the wiretap will need to be something that is
easily searchable by someone in a legal department or security department.
They'll probably want to use off-the-shelf tools that were designed for
scanning a live Exchange or Notes server.  It seems to me that you need
to create new headers to show what was in the envelope.  I'm thinking that
a wiretap on a transit server needs to send the copies to some back-end
mailbox system where searches and analyses can be run.  This doubles the
amount of outbound e-mail. You don't want to re-check for viruses or spam.
You might need separate queues or a separate configuration for the wire-tap
queue.  Of course, the back-end system may go down or get bogged down.

I envision a design where a separate sendmail listener is used to receive
the wiretap copies.  (But that's mostly because I'm currently doing virus
scanning with commercial milter.)  I see "repairing" the from, to, and cc
headers to reflect what is really in the envelope and adding x-wiretap-xxx
headers to record what the original from, to, and cc headers were.  I'm
looking at using Net::SMTP for the wiretap.  Using the datasend() method,
it's easy to send the real, munged, or created headers.  The body can be
sent with $entity->stringify().  I suspect that stringify() is a bit
expensive, though.  It would be nice to use some sort of connection caching
on the SMTP connections to the wiretap, but I don't know if that's possible.

At any rate, it seems somewhat expensive to do a wiretap properly and anyone
requesting one should be asked to provide the additional mailserver resources.

Comments or flames on this design?




More information about the MIMEDefang mailing list