Hello, All!
We're planning to include antivirus and antispam software in our Linux based router. I'm researching this problem now. Can you recommend any open-source projects to look for. I believe antiviruses running on desktops/servers could be almost easily tuned for embedded environment, or there may be some pifalls?
I'll be happy to get any hints and advices. Thank you.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
Hi Roman,
We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our embedded units.
Its virus definition files are getting rather large as of late:
-rw-r--r-- 1 clamav nobody 580022 Sep 13 23:28 daily.cvd
-rw-r--r-- 1 clamav nobody 5858804 Sep 13 23:28 main.cvd
But other than that, it's fairly simple to implement.
Regards,
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Damion de Soto -------------------------------------------------- | Software Engineer email: Damion_deSoto@au.securecomputing.com | Secure Computing Corporation web: http://www.securecomputing.com | fax: +61 7 3891 3630 ph: +61 7 3435 2809 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---- Free Embedded Linux Distro at http://www.snapgear.org ----
Hello, Damion! You wrote on Thu, 14 Sep 2006 10:46:35 +1000:
DdS> Hi Roman, ??>> We're planning to include antivirus and antispam software in our Linux ??>> based router. I'm researching this problem now. Can you recommend any ??>> open-source projects to look for. I believe antiviruses running on ??>> desktops/servers could be almost easily tuned for embedded ??>> environment, or there may be some pifalls? I'll be happy to get any ??>> hints and advices. Thank you. DdS> We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our DdS> embedded units. DdS>
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
How is the software going to decide which download or mail is supposed to be Spam or contain a virus ?
For virus detection I suppose you need to use a (payed) service that updates the pattern file and the detection software on a regular basis.
I don't know if something like this exists for Spam detection. Otherwise you need to use a channel from the users to the router to have them define rules for Spam detection. Thunderbird is an open source project that does a fairly nice Spam detection based on automatically generated rules. Maybe you can look at it's code.
A primary Spam filter mechanism is to start to send a mail to the sender of any mail and abort after the verification of the addressee. If the verification of the sender fails, the mail can be considered to be Spam.
-Michael
Hello, Michael! You wrote on Thu, 14 Sep 2006 10:23:04 +0200:
MS> How is the software going to decide which download or mail is supposed MS> to be Spam or contain a virus ? There're supposed to be two types of applications: one is for checking mails for viruses, another is for catching spam mails.
MS> For virus detection I suppose you need to use a (payed) service that MS> updates the pattern file and the detection software on a regular basis.
MS> I don't know if something like this exists for Spam detection. MS> Otherwise you need to use a channel from the users to the router to MS> have them define rules for Spam detection. Thunderbird is an open MS> source project that does a fairly nice Spam detection based on MS> automatically generated rules. Maybe you can look at it's code.
MS> A primary Spam filter mechanism is to start to send a mail to the MS> sender of any mail and abort after the verification of the addressee. MS> If the verification of the sender fails, the mail can be considered to MS> be Spam. I think it'll result in significant overhead. I believe use of blacklists + dnsbl may give more benefits.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
IMHO blacklists will not help at all. Re "sender" blacklists: mails with Spam or viruses always use fake senders. Blacklisting using the content results in the scenario I described in the previous mail.
What is dnsbl ?
-Michael
Hello, Michael! You wrote on Thu, 14 Sep 2006 17:00:19 +0200:
??>> I think it'll result in significant overhead. I believe use of ??>> blacklists + dnsbl may give more benefits.
MS> IMHO blacklists will not help at all. Re "sender" blacklists: mails MS> with Spam or viruses always use fake senders. Blacklisting using the MS> content results in the scenario I described in the previous mail. Blacklists also support regexps. MS> What is dnsbl ? It stands for "DNS-based Blackhole List ". List of hosts kept as DNS records. Mail server usually makes query to one of DNSBL and checks IP-address of sender.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
For virus detection, there are several options - there is the open source ClamAV (already mentioned), or commercial programs. Of course, you'd have to pay for the commercial ones, and you'd have a lot more "fun" trying to get them to run in an embedded system. ClamAV works fine, and it database is updated regularly, although it can be a bit slow compared to other systems. The chances of valid emails being wrongly marked as viruses is very low.
For spam detection, you want something like spam assassin. However, here you have to give the users more control - presumably somewhere in the world there are people who actually want to receive offers for dodgy pills and the like. While it is common to reject virus emails utterly, it is normal to mark probable spam emails and pass them on so the user can easily sort them.
That can be worth doing, but only works for smtp incoming email. If typical users of your router do not have their own email server and hosting, then it doesn't help as the emails come via pop3.
One thing to think through very carefully is how to handle updates for your virus definitions, your virus checking software, your spam detection software, and any blacklists. Remember that for many of these, voluntary free sites are providing the bandwidth, so selling a commercial product that uses them may be questionable legally or ethically, unless you are using your own servers as proxies or channelling some of your profits back to those services (as money or bandwidth). You also have to consider the consequences if something goes wrong with one of these sites or the files they supply - using your own servers gives you a bit more control.
Viruses usually spread themselves by reading the (Outlook-) Address lists of their victims and use one as an addressee and another as a sender. So the fake sender usually is existing and this method does not help. Spammers work similar with their huge list of victims.
Thus IMHO implementing "DNS-based Blackhole List" in a router is not a good idea.
-Michael
Hello, Michael! You wrote on Fri, 15 Sep 2006 10:30:48 +0200:
??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS ??>> records. Mail server usually makes query to one of DNSBL and checks ??>> IP-address of sender.
MS> Viruses usually spread themselves by reading the (Outlook-) Address MS> lists of their victims and use one as an addressee and another as a MS> sender. So the fake sender usually is existing and this method does not MS> help. Spammers work similar with their huge list of victims. The idea is to reject mails coming from IP addresses found in DNSBL. According to messages in various maillists this method effectively kills up to 90% of spam.
MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a MS> good idea.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
Hello, Michael! You wrote on Fri, 15 Sep 2006 10:30:48 +0200:
??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS ??>> records. Mail server usually makes query to one of DNSBL and checks ??>> IP-address of sender.
MS> Viruses usually spread themselves by reading the (Outlook-) Address MS> lists of their victims and use one as an addressee and another as a MS> sender. So the fake sender usually is existing and this method does not MS> help. Spammers work similar with their huge list of victims.
MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a MS> good idea. What is your suggestion? Do you use any spam-killing software in embedded units? If so, please share details.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
A useful way to limit the damage of viruses is for the firewall to block all smtp traffic by default, and then open a hole to your ISP's smtp server. Viruses typically try to send out copies by smtp directly, rather than going via your email client's normal smtp setup, to avoid your ISP blocking you off.
Hi Roman,
No, we don't use any postfix on the embedded unit itself. clamsmtp just proxies all smtp traffic from the client to the real smtp (postfix) server.
I'll also add, we're looking at implementing a dnsbl system for spamfiltering in the future - it will be proprietary though, since it comes from our recent CipherTrust acquisition.
regards,
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Damion de Soto -------------------------------------------------- | Software Engineer email: Damion_deSoto@au.securecomputing.com | Secure Computing Corporation web: http://www.securecomputing.com | fax: +61 7 3891 3630 ph: +61 7 3435 2809 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ---- Free Embedded Linux Distro at http://www.snapgear.org ----
Any hint what criteria this system uses to identify Spam ?
-Michael
If client is Windows == 99% it's a spam ;)
Results of my test (done with p0f) - all here are spam sources:
1315 Windows 157 UNKNOWN 34 Linux 3 Solaris 3 NetCache 2 FreeBSD 1 NovellAvast Michael,
I don't actually know anything about it yet. The website is probably more useful than my brain:
regards,
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Damion de Soto -------------------------------------------------- | Software Engineer email: Damion snipped-for-privacy@au.securecomputing.com | Secure Computing Corporation web:
Damion de Soto wrote: > Avast Michael, >>>
There they state:
IronMail was the first product to integrate and correlate signature- and content-based techniques into a single, combined detection engine. IronMail?s Message Profiler technology uses a variety of detection techniques to examine over 1000 characteristics of a message, which creates a precise score for each message in order to determine the probability that a message is spam or some other threat.
So IMHO it's quite obvious that the device needs a large database of "characteristics" (patterns). Same need to be updated either by importing them (e.g. as a payed service from ciphertrust) or are constructed from user input about what mail is supposed to be Spam.
-Michael
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.