[Mimedefang] filter based on From/To headers?
Michael Sims
michaels at crye-leike.com
Wed May 5 18:02:22 EDT 2004
Kelsey Cummings wrote:
> On Wed, May 05, 2004 at 04:10:46PM -0500, Michael Sims wrote:
>> Kelsey Cummings wrote:
>>> I need to check for 'invalid' From and To headers in our inbound
>>> email (primarily to catch spam that inserts
>>> 'JUNK at mail_server_hostname' into either header.) Does anyone have
>>> an example of how they did this or pointers on where to wedge it in?
>>
>> You basically need to open and traverse the "HEADERS" file that will
>> be in the current working directory during each slave's call to
[...]
> Thanks. I was hoping that all of the headers would already be
> available in process and that I wouldn't have to use IO to read them
> in.
If your MIMEDefang spool directory is mounted on a tmpfs (or some other type of RAM
disk) then the IO overhead should be negligible. At least this has been my
experience. We recently added a hardware IDS that also does all kinds of stateful
inspection, and one of the things it does is virus filtering by monitoring any SMTP
conversations and essentially hijacking it if it detects malicious content. It
removes the infected part and replaces it with a warning message. When we added
this device I added code to my mimedefang-filter to look for the warning message,
and this code traverses the work directory looking for a part that is in a specific
size range, then opens that part and parses the text looking for the warning. This
code is executed for every single message, yet when I added it I could tell no
difference in the load on the server or the amount of time the slave took to process
the message.
Of course if your spool directory is on a physical disk then the overhead could be
substantial...
___________________________________________
Michael Sims
Project Analyst - Information Technology
Crye-Leike Realtors
Office: (901)758-5648 Pager: (901)769-3722
___________________________________________
More information about the MIMEDefang
mailing list