We're planning to include antivirus and antispam software in our Linux based router. I'm researching this problem now. Can you recommend any open-source projects to look for. I believe antiviruses running on desktops/servers could be almost easily tuned for embedded environment, or there may be some pifalls?
I'll be happy to get any hints and advices. Thank you.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
Hello, Damion! You wrote on Thu, 14 Sep 2006 10:46:35 +1000:
DdS> Hi Roman, ??>> We're planning to include antivirus and antispam software in our Linux ??>> based router. I'm researching this problem now. Can you recommend any ??>> open-source projects to look for. I believe antiviruses running on ??>> desktops/servers could be almost easily tuned for embedded ??>> environment, or there may be some pifalls? I'll be happy to get any ??>> hints and advices. Thank you. DdS> We run ClamAV and friends (frox, clamsmtp, pop3proxy etc) in our DdS> embedded units. DdS>
formatting link
Thank you for link. As I understood you uses postfix as MTA (clamsmtp filter). Have you had any problems with porting and tuning postfix on your target board?
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
How is the software going to decide which download or mail is supposed to be Spam or contain a virus ?
For virus detection I suppose you need to use a (payed) service that updates the pattern file and the detection software on a regular basis.
I don't know if something like this exists for Spam detection. Otherwise you need to use a channel from the users to the router to have them define rules for Spam detection. Thunderbird is an open source project that does a fairly nice Spam detection based on automatically generated rules. Maybe you can look at it's code.
A primary Spam filter mechanism is to start to send a mail to the sender of any mail and abort after the verification of the addressee. If the verification of the sender fails, the mail can be considered to be Spam.
Hello, Michael! You wrote on Thu, 14 Sep 2006 10:23:04 +0200:
MS> How is the software going to decide which download or mail is supposed MS> to be Spam or contain a virus ? There're supposed to be two types of applications: one is for checking mails for viruses, another is for catching spam mails.
MS> For virus detection I suppose you need to use a (payed) service that MS> updates the pattern file and the detection software on a regular basis.
MS> I don't know if something like this exists for Spam detection. MS> Otherwise you need to use a channel from the users to the router to MS> have them define rules for Spam detection. Thunderbird is an open MS> source project that does a fairly nice Spam detection based on MS> automatically generated rules. Maybe you can look at it's code.
MS> A primary Spam filter mechanism is to start to send a mail to the MS> sender of any mail and abort after the verification of the addressee. MS> If the verification of the sender fails, the mail can be considered to MS> be Spam. I think it'll result in significant overhead. I believe use of blacklists + dnsbl may give more benefits.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
IMHO blacklists will not help at all. Re "sender" blacklists: mails with Spam or viruses always use fake senders. Blacklisting using the content results in the scenario I described in the previous mail.
Hello, Michael! You wrote on Thu, 14 Sep 2006 17:00:19 +0200:
??>> I think it'll result in significant overhead. I believe use of ??>> blacklists + dnsbl may give more benefits.
MS> IMHO blacklists will not help at all. Re "sender" blacklists: mails MS> with Spam or viruses always use fake senders. Blacklisting using the MS> content results in the scenario I described in the previous mail. Blacklists also support regexps. MS> What is dnsbl ? It stands for "DNS-based Blackhole List ". List of hosts kept as DNS records. Mail server usually makes query to one of DNSBL and checks IP-address of sender.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
For virus detection, there are several options - there is the open source ClamAV (already mentioned), or commercial programs. Of course, you'd have to pay for the commercial ones, and you'd have a lot more "fun" trying to get them to run in an embedded system. ClamAV works fine, and it database is updated regularly, although it can be a bit slow compared to other systems. The chances of valid emails being wrongly marked as viruses is very low.
For spam detection, you want something like spam assassin. However, here you have to give the users more control - presumably somewhere in the world there are people who actually want to receive offers for dodgy pills and the like. While it is common to reject virus emails utterly, it is normal to mark probable spam emails and pass them on so the user can easily sort them.
That can be worth doing, but only works for smtp incoming email. If typical users of your router do not have their own email server and hosting, then it doesn't help as the emails come via pop3.
One thing to think through very carefully is how to handle updates for your virus definitions, your virus checking software, your spam detection software, and any blacklists. Remember that for many of these, voluntary free sites are providing the bandwidth, so selling a commercial product that uses them may be questionable legally or ethically, unless you are using your own servers as proxies or channelling some of your profits back to those services (as money or bandwidth). You also have to consider the consequences if something goes wrong with one of these sites or the files they supply - using your own servers gives you a bit more control.
Viruses usually spread themselves by reading the (Outlook-) Address lists of their victims and use one as an addressee and another as a sender. So the fake sender usually is existing and this method does not help. Spammers work similar with their huge list of victims.
Thus IMHO implementing "DNS-based Blackhole List" in a router is not a good idea.
Hello, Michael! You wrote on Fri, 15 Sep 2006 10:30:48 +0200:
??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS ??>> records. Mail server usually makes query to one of DNSBL and checks ??>> IP-address of sender.
MS> Viruses usually spread themselves by reading the (Outlook-) Address MS> lists of their victims and use one as an addressee and another as a MS> sender. So the fake sender usually is existing and this method does not MS> help. Spammers work similar with their huge list of victims. The idea is to reject mails coming from IP addresses found in DNSBL. According to messages in various maillists this method effectively kills up to 90% of spam.
MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a MS> good idea.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
Hello, Michael! You wrote on Fri, 15 Sep 2006 10:30:48 +0200:
??>> It stands for "DNS-based Blackhole List ". List of hosts kept as DNS ??>> records. Mail server usually makes query to one of DNSBL and checks ??>> IP-address of sender.
MS> Viruses usually spread themselves by reading the (Outlook-) Address MS> lists of their victims and use one as an addressee and another as a MS> sender. So the fake sender usually is existing and this method does not MS> help. Spammers work similar with their huge list of victims.
MS> Thus IMHO implementing "DNS-based Blackhole List" in a router is not a MS> good idea. What is your suggestion? Do you use any spam-killing software in embedded units? If so, please share details.
With best regards, Roman Mashak. E-mail: snipped-for-privacy@tusur.ru
A useful way to limit the damage of viruses is for the firewall to block all smtp traffic by default, and then open a hole to your ISP's smtp server. Viruses typically try to send out copies by smtp directly, rather than going via your email client's normal smtp setup, to avoid your ISP blocking you off.
No, we don't use any postfix on the embedded unit itself. clamsmtp just proxies all smtp traffic from the client to the real smtp (postfix) server.
I'll also add, we're looking at implementing a dnsbl system for spamfiltering in the future - it will be proprietary though, since it comes from our recent CipherTrust acquisition.
IronMail was the first product to integrate and correlate signature- and content-based techniques into a single, combined detection engine. IronMail?s Message Profiler technology uses a variety of detection techniques to examine over 1000 characteristics of a message, which creates a precise score for each message in order to determine the probability that a message is spam or some other threat.
So IMHO it's quite obvious that the device needs a large database of "characteristics" (patterns). Same need to be updated either by importing them (e.g. as a payed service from ciphertrust) or are constructed from user input about what mail is supposed to be Spam.
ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.