%****************************************************************************************** %****************************************************************************************** Copfilter - a virus and spam filtering ipcop addon Copyright (c) 2005 Markus Madlener Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts. A copy of the license is included in the section entitled "GNU Free Documentation License". Copfilter is distributed under the terms of the GNU General Public License. This software is supplied AS IS. Copfilter disclaims all warranties, expressed or implied, including, without limitation, the warranties of merchantability and of fitness for any purpose. Copfiler assumes no liability for damages, direct or consequential, which may result from the use of this software. %****************************************************************************************** %****************************************************************************************** Introduction Copfilter's main goal is to provide a free and easy to use solution to filter and scan traffic from any unsecure network, like the internet, for viruses and spam. It has been designed as a preconfigured and easy to install addon for an IPCop firewall. Copfilter is a package of various opensource traffic filtering software and tools, customized and built to work together smoothly. All included proxies filter traffic transparently, which means that no client reconfiguration is necessary. It scans POP3 and SMTP emails for viruses and spam. Instead of a virus infected emails, users will receive virus notification messages containing details about the originally sent emails, which can also be quarantined if desired. Spam emails will be tagged as spam by inserting the following text into the subject field: *** SPAM *** With this procedure any email client will be able to use its own message filtering rules to automatically delete or move these spam messages into a different folder for a later review. HTTP and FTP traffic will also be scanned for viruses. If a virus is found, access to that web page or file will be denied. %****************************************************************************************** IPCop Firewall IPCop is an opensource Linux Firewall Distribution project. Its main goals is to provide a secure and stable Firewall, which is easy to configure and maintain. IPCop has a webinterface and it provides easy upgrade and patch management. Depending on the used hardware and user experience, IPCop can be installed and configured in a matter of about 15minutes or less. main ipcop features: * secure, stable and highly configurable Linux based firewall * runs on Uni and Multi-processor systems * Iptables based firewall * Build system uses LFS (Linux from Scratch) * Easy configuration through the Web-based GUI Administration System (ssl secured) * CPU/Memory/Disk/Traffic Graphs, System/Proxy/Firewall Logs * IPCop Linux Updates Area * backup/restore configuration * Built with ProPolice to prevent stack smashing attacks in all applications. * Multiple language support * HTTP Web Proxy (Squid) to speed up web access * SSH server for Remote Access * DHCP server - provides dhcp services to its clients * NTP Server - provides time services to its clients * Caching DNS to help speed up Domain Name queries * Intrusion detection (Snort) to detect external attacks on your network * IPSec based VPN Support (FreeSWAN) with x509 certificates * Traffic Shaping capabilities to prioritize network traffic * TCP/UDP port forwarding * Port Address Translation which is a type of Network Adress Translation (NAT) http://de.wikipedia.org/wiki/Network_Address_Translation * DMZ Pinhole support * Dynamic DNS Support (dyndns.org, no-ip.com, zoneedit.com,..) Interface suppport - upto 4 network adapters, partitioning your network into 4 zones * GREEN - internal safe network which is protected from the Internet * BLUE - wireless network for WLAN clients * ORANGE - DMZ (demilitarized zone) for publicly accessible servers, partially protected from the Internet * RED - internet unsafe network ISP * External RED interface supports Analog/ISDN/ADSL modem * supports PPP, PPTP, PPPoE, Ethernet * DHCP client - IPCop is able to obtain its IP address from your ISP for more information please visit the ipcop website at http://www.ipcop.org an installation manual can be found at http://www.ipcop.org/1.4.0/en/install/html Network diagram: IPCop Firewall Workstation clients Internet servers with Copfilter +----------+ +-------+ +---------------+ LAN1 | | |POP3 | Internet |RED GREEN|----------------| | |SMTP |----------------| | +----------+ |HTTP | | | |FTP | | | LAN2 +----------+ | | |ORANGE BLUE |----------------| | +-------+ +---------------+ | | | +----------+ | Wireless Clients | +----------+ | | DMZ Machines | | example: SMTP server for incoming emails +----------+ ipcop review in german: http://www.heise.de/security/artikel/38011 %****************************************************************************************** Copfilter Features Email Scanning: - Virus and Spam scanning of incoming POP3 emails - Virus and Spam scanning of incoming and outgoing SMTP emails - Email sanitizing by removing dangerous html tags from HTML email messages - Attachment scanning by renaming dangerous attachments (.pif .vbs ..) from email messages - Adds a note to every email header indicating that the email was scanned - Email discarding and/or quarantining, depending on a predefined spam score level or if a virus was found Internet traffic Scanning - Virus scanning of HTTP traffic, with no "trickle" effect, but continuous, non-blocking downloads - Virus scanning of FTP traffic, with "trickle effect", a download delay is noticeable (file gets downloaded and scanned in the background, while browser only receives a few bytes until complete file has been scanned) - Removes ads, banners, pop-ups and other obnoxious Internet junk from HTTP Traffic Network: - All services work transparently, no re-configuration on any client is necessary !! - Highly configurable, scanning can be turned on or off for every attached network - Any type of email client (Outlook,Thunderbird,Evolution,..) on any OS (Win32,Linux,MacOS,..) can be used - (RED) IP Alias support for mail server MX entries other than the default assigned ip address Monitoring: - Detailed information about every installed service (cpu/mem usage, uptime etc) - Service monitoring, if a service should fail, it will automatically be restarted (with email notification) - Individual Service control - start/stop every services from the monitoring webgui Administration and Management: - Copfilter AntiSpam whitelist management through webgui and by sending an email (with prefined commands) (spam scanning will be skipped on the reply emails) - Automatic outgoing email whitelisting, adds recipient (To: field) email address of outgoing email to the whitelist, if a reply email to the original email arrives, spam scanning will be skipped - Copfilter Daily Spam Digest recipient management through webgui - Ability to automatically download spam and ham emails from an imap folder to train the integrated Bayesian filter (dramatically improves spam recogition, important for false positives and false negatives) - HTTP Whitelist management through a configuration file - Uninstall, backup, restore and restore-to-default-configuration capability - Virus and Spam Quarantine, option to resend, delete messages and/or add the sender email address to the whitelist - Customizable levels of when email messages should be quarantined or discarded - Ability to send test virus/spam/bad attachment emails directly from the webgui to test Copfilter functionality - Links to test http and ftp viruses are included as well - Copfilter installation and configuration can be done in less than 5 minutes. just copy the installation file to the ipcop firewall, extract and execute the included install script (no ipcop addon server required) - Based on the Linux Firewall Distribution IPCop which is very easy to install Download the iso, burn the cd, answer a few screens and your new firewall is up and running in less than 15 minutes ! - Detailed documentation - Ease to use and highly configurable web-based graphical user interface (webgui) - Free, opensource and GPL licensed :-) Updates: - Automatic AntiVirus signature updates - Automatic AntiSpam ruleset updates - Latest available Copfilter version is displayed in the webgui (webgui retrieves this information by reading the http://www.copfilter.org website) User Notifications emails: - Instead of a virus infected email, the user receives a notification that a virus infected email has been sent to him, including details like sender, subject, email header, etc of the original message - Optionally sends a copy of these user notifications to an administrator - All Spam messages will be tagged in the subject: *** SPAM *** for further client processing - Daily digest containing all sender email addresses of all received spam in 24h, optionally a user can send an email to automatically add an email address to the whitelist Email Reports (for the System Administrator) about: - Virus signature updates - Antispam ruleset updates - Imap BAYES Training results - Failed services and if the automatic restart has been successful Software: - Only uses opensource software (except for optional virus scanner f-prot) - Enhanced spam capabilities: Bayesian filtering, spam rulesets, razor, dcc, SURBL and DNS Blocklists - Is able to use a open source AND / OR a commercial virus scanner For POP3,SMTP,FTP: ClamAV and/or F-Prot / For HTTP: ClamAV only - All proxies run as a non-root user - Init scripts included which can start/stop/reconfigure the proxies (some can be started in debug mode) - Log directory with log files from all services (accessable through webgui) - Supports multi languages based on the ipcop language setting languages available depend on translations which have been already done %****************************************************************************************** Licensing Copfilter is licensed under the terms of the GNU General Public License Version (GPL). It's documentation is licensed under terms of the GNU Free Documentation License Version (GFDL). GNU General Public License Version 2, June 1991 http://www.gnu.org/copyleft/gpl.html Inofficial german translation http://www.gnu.de/gpl-ger.html GNU Free Documentation License Version 1.2, November 2002 http://www.gnu.org/copyleft/fdl.html Inofficial german translation (Version 1.1) http://nautix.sourceforge.net/docs/fdl.de.html %****************************************************************************************** Security From a security point of view, adding filters, virus scanners and proxies to the firewall will highly reduce the firewall's overall security. Every additional application or software on a firewall could be a potential security hole. That's why the main target audience for copfilter is the average home user or a smaller business with a lower demand to security than a huge corporate networks serving hundreds of clients, although depending on their security requirements, copfilter may serve them as well. Copfilter is is NOT an official ipcop addon. It has not been approved or reviewed by the ipcop development team. It comes with NO warranty or guarantee, so use it should be used at everyones own risk. Copfilter adds firewall rules, proxies, filters and virus scanners to the ipcop machine, which reduces security ! I am sure that there are lots of ways to break Copfilter, so if security is an issue, it should NOT be used. %****************************************************************************************** Requirements SW: Ipcop version 1.4.x HW: recommended minimum hardware: a cpu with 350 Mhz, 256MB RAM if no spam filtering ist used then a machine with 128MB ram should be sufficient If a faster machine is being used, email scanning and traffic filtering will be faster as well. %****************************************************************************************** Short description of the software is being used within copfilter P3Scan - a transparent pop3 proxy server ProxSMTP - a transparent smtp proxy server HAVP - a transparent http proxy server (HTTP Antivirus Proxy) with continuous, non-blocking downloads and smooth scanning of dynamic and password protected HTTP traffic frox - a transparent ftp proxy server Privoxy - a http proxy with advanced filtering capabilities for protecting privacy, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk Clam AntiVirus - a GPL virus scanner with built-in support for Zip, Gzip, Bzip2 and automatic updating F-Prot Antivir - for Linux Workstations (free for home users), virus scanner is not included, but supported! F-Prot Antivir - for x86 Mail Servers (corporate use) this virus scanner is not included, but supported! SpamAssassin - a mail filter to identify spam Vipul's Razor - a distributed, collaborative, spam detection and filtering network, used by spamassassin DCC - a cooperative, distributed system intended to detect "bulk" mail renattach - a stream filter that can identify and rename potentially dangerous e-mail attachments RulesDuJour - a bash script which automatically downloads new versions of SpamAssassin rulesets monit - Monitoring Utility - automatically restarts a failed service, includes a service manager *** Software versions as of this writing 2007-11-09 main programs: P3Scan pop3 proxy 2.2.1 http://p3scan.sourceforge.net ProxSMTP smtp proxy 1.6 http://memberwebs.com/nielsen/software/proxsmtp HAVP http proxy 0.86 http://havp.sourceforge.net frox ftp proxy 0.7.18 http://frox.sourceforge.net Privoxy webfilter 3.0.6 http://www.privoxy.org SpamAssassin spamtool 3.2.3 http://www.spamassassin.org tools used by the main programs: webuserprefs webgui 0.6 http://sourceforge.net/projects/webuserprefs php scripting lng 4.4.7 http://www.php.net Razor spamtool 2.84 http://razor.sourceforge.net DCC spamtool 1.3.64 http://www.rhyolite.com/anti-spam/dcc renattach attachment rm 1.2.4 http://www.pc-tools.net/unix/renattach #P3pmail mail sanitizer 1.3 http://p3scan.sourceforge.net/#p3pmail #Anomy mail sanitizer 1.70 http://mailtools.anomy.net ripmime mail ripper 1.4.0.7 http://www.pldaniels.com/ripmime formail mail formatter 1.102 http://www.procmail.org altermime mime modifier 0.3.7 http://www.pldaniels.com/altermime monit monitoring 4.9 http://www.tildeslash.com/monit ClamAV virusscanner 0.91.2 http://clamav.sourceforge.net F-Prot virusscanner 4.6.4 AVG virusscanner 7.1.14 fprot home use http://www.f-prot.com/products/home_use/linux fprot corporate use http://www.f-prot.com/products/corporate_users/unix/linux/mailserver.html fprot prices http://www.f-prot.com/products/prices/price_unix_ms.html avg home use http://free.grisoft.com/doc/20/lng/us/tpl/v5 avg corporate use http://www.grisoft.com/doc/linux/lng/us/tpl/tpl01?prd=lms.10.0.0 avg prices http://www.grisoft.com/doc/pricelist/lng/us/tpl/tpl01?prd=lms clients: fetchmail pop3 client 6.2.5 http://www.catb.org/~esr/fetchmail/ SMTPclient smtp client 1.0.0 ftp://ftp.ossp.org/pkg/tool/smtpclient/smtpclient-1.0.0.tar.gz sendEmail smtp client 1.55 http://caspian.dotconf.net/menu/Software/SendEmail wget http dl tool 1.9.1 http://www.gnu.org/software/wget/wget.html ncftpget ftp client 3.1.9 http://www.ncftpd.com test files: eicar testvirus http://www.eicar.com %****************************************************************************************** email address and website website: http://www.copfilter.org email address: copfilter at gmx dot net support email: copfilter-main at lists dot sourceforge dot net (exampe "hello at test dot com" means hello@test.com) Please don't publish my email address online like in forums, boards,... except in the form (copfilter-main at lists dot sourceforge dot net) presented above. This helps reduce my spam mail, thanks! %****************************************************************************************** %****************************************************************************************** Installation - The copfilter installation and webgui language will be the same as what you in the IPCop webgui, so if you want a different language change this settings in System -> GUI Settings %****************************************************************************************** Preparation - enable ssh on your ipcop machine through the IPCop admin web pages (necessary for file transfer) IPCOP Webgui -> SYSTEM -> SSH ACCESS - enable squid on your ipcop machine through the admin web pages (needed for privoxy to work) IPCOP Webgui -> SERVICES -> PROXY - you will need a secure copy (scp) client to copy the package to your ipcop firewall and a secure shell client (ssh) to actually install the package if working on unix, you should have ssh and scp already installed, if not you have to install these programs from the linux distribution you are using, or compile them yourself if working on windows you could use (both opensource and free): graphical secure copy client: winscp http://winscp.sourceforge.net/eng/ graphical secure shell client: putty http://www.chiark.greenend.org.uk/~sgtatham/putty putty includes a command line secure copy client called pscp.exe - download the latest copfilter version from http://www.copfilter.org do not try to extract this tar file on windows (your virus scanner will warn you about 4 testvirus files in the archive ), instead copy it to the ipcop machine by doing the following: %****************************************************************************************** copy the package to the firewall copy the package to the ipcop firewall using a secure copy client (scp) on a unix or linux machine: scp -P 222 root@:/root scp.png (notice that port 222 needs to be used) OR on a windows machine using winscp start winscp and create a new session in the WinSCP login screen: winscp.png (assuming 192.168.112.254 is your ipcop's ip address) then drag and drop the copfilter installation file to the ipcop /root and click on copy when asked to confirm winscp2.png OR on a windows using putty's pscp pscp -P 222 root@:/root pscp.png %****************************************************************************************** install the package on the firewall - login to the ipcop machine with a ssh client, example with putty: start putty enter the ipaddress of your ipcop machine into the "Host Name (or IP address)" field enter the ssh port of your ipcop machine into the "Port" field, this is usually: "222" enter a session name in "Saved Sessions", for example "ipcop" click on "Save" click on "Open" to start the ssh session to your ipcop machine screenshot: putty.png - you should now have an open terminal session with putty - if you are updating, first uninstall the old version: everything which was copfilter related will be deleted without confirmation, you might want to create backup before uninstalling: /var/log/copfilter/default/setup_util -b to uninstall: /var/log/copfilter/default/setup_util -u - extract the package: cd /root tar xzvf copfilter-0.1.0.tgz (version number could be different than in this example) - change to the directory and install the new package cd copfilter-0.1.0 ./install this script will automatically extract the setup tar file and will also automatically execute /var/log/copfilter/default/setup_util -i if it fails and you get these error messages: gzip: stdin: unexpected end of file copfilter-0.1.0beta2/install tar: Unexpected EOF in archive tar: Unexpected EOF in archive tar: Error is not recoverable: exiting now then this means that you have not correctly downloaded the full file, try to redownload the file and then try again - if you are a home user, you could also install the fprot virus scanner (free for home use) so that your email will be scanned by 2 different virus scanners which increases security this package only includes clamav virusscanner and you can optionally install fprot with the included installation script: home users please read http://www.f-prot.com/products/home_use/linux/ corporate users please read http://www.f-prot.com/products/corporate_users/unix/index.html only proceed to the next step if you fulfil the requirements as a home user then download (from above URL) and copy the downloaded file (for example fp-linux-ws-4.3.3.tar.gz) to the ipcop machine into the /root/copfilter directory, change to the copfilter directory cd /root/copfilter and execute ./setup_util -f fp-linux-ws-4.3.3.tar.gz after installing fprot, additional options will appear in the webgui AntiVirus section from where it can be activated to scan emails %****************************************************************************************** - Quick configuration (for details please see the next section) - open your web browser and go to your IPCop web configuration interface a new menu will appear under Services/Copfilter with which you can now configure copfilter !!!! - most important: goto Copfilter -> Email !!!! and configure your email address and your smtp server and click on save settings the Email Address field is often misunderstood, this field is not a list of email addresses which will be scanned for viruses, in fact all emails, no matter what email address is used will be scanned transparently, there is no list of email addresses to be scanned, since all emails will be recognized automatically. The email address in this field will only be used as a recipient for virus notification updates and a few other notifications - you can now test, if emails sent you are being scanned, by clicking on the buttons (available in the Copfilter -> Test&Debug webgui) 1. "Send Test Virus Email" 2. "Send Test Spam Email" 3. "Send Test Email+bad Attachment" you should then receive 1. a virus notification message 2. a email with the subject tagged as SPAM 3. an email with an *renamed* exe attachment called "test_attachment.exe.bad" you can still rename the attachement to what it originall was, but the purpose of this procedure is to prevent users "blind-click" on any exe attachment if the exe attachment is renamed to .bad nothing will can happen If you don't get the test message at all, then check /var/log/messages if the email delivery was successfull, you might get an log entry which looks like this: 554 mail server rejected message: spam or virus detected (#5.3.0) which means that the test message could not be sent because your smtp server does not accept emails which contain spam or viruses - please also visit the 2 websites (links are in the webgui) Download a Testvirus via HTTP http://www.eicar.org/anti_virus_test_file.htm Download a Testvirus via FTP http://www.trendmicro.com/en/security/test/overview.htm and check if access to those files is denied - if above tests where successful you can now safely use email/http/ftp %****************************************************************************************** %****************************************************************************************** Configuration To access the Copfilter Web-GUI start your browser and enter the IP address (of the green IPCop interface) or hostname of your IPCop server along with a port director of either 445 (https/secure) or 81(redirected to 445): https://ipcop:445 or https://192.168.112.254:445 or http://ipcop:81 or http://192.168.112.254:81 01_webgui_menu.png Note: if the webgui has vanished (for example when updating ipcop) execute the following command to readd the menu: /var/log/copfilter/default/setup_util -a %****************************************************************************************** Status Screenshot 02_webgui_status.png Options No options can be configured. This window will give you access to the Cofilter documentation. The currently installed Copfilter version is displayed as well as this warning message: WARNING: This package is NOT an official ipcop addon. It has not been approved or reviewed by the ipcop development team. It comes with NO warranty or guarantee, so use it at your own risk. This package adds firewall rules, proxies, filters and virus scanners to your ipcop machine. Do NOT use Copfilter if security is an issue. With HAVP you could still receive a virus. Next follows a section with information regarding the status of each of the currently installed programs, including: - product name - short description - associated daemon - version nummber - daemon status, if any daemons are running their PID numbers are shown - ability to manually stop or start the daemon Three additional buttons are available for accessing - Virus Quarantine - Spam Quarantine - Monit Service Manager - Copfilter Whitelist Manager - Copfilter Spam Digest Manager Notes If a service is stopped or started manually, then monitoring for that service will stop, to reenable monitoring of all enabled services, restart the monit service F-PROT is a commercial program. It is free for home users only. Corporate Users have to obtain a license ! If a service is restarted, and your settings indicate that this service will not be used, then the service will stay off The abbreviation Trans. stands for Transparent and it means that no client reconfiguration necessary to use this service. %****************************************************************************************** Email Settings Screenshot 03_webgui_email.png Options: Enter your email address smtp server the sender address and configure smtp-auth if your smtp server requires it. Email Address: Enter the your email address here, you will then receive various notifications regarding the result of copfilter service procedures. Smtp server: This is the address of your Internet Provider's SMTP server. You can also use your own SMTP server if it is located on your internal network. Sender Address: This is the email address which will be used to send emails from. It will appear as the sender email address when you receive emails from copfilter If you don't know what to enter, leave it blank and copfilter will automatically use your Email Address as your sender address. If your SMTP server supports SMTP-AUTH you can enable it here (switch it to "on"), and enter the appropiate username and password The following notification will be sent to the Email Address mentioned above: - Virus signature updates - Antispam ruleset updates - Imap BAYES Training results - Failed services and if the automatic restart has been successful - Copy of virus notification messages if this has been activated Notes No service restart is required. %****************************************************************************************** Monitoring Options: Monitor all enabled services This will enable monitoring for all enabled services which are being used The following link to another webgui is available to retrieve information and to manage the monitored services: Monit Service Manager https://192.168.112.254:446/ Note: 1. Monit will only monitor services that currently are running, as configured per webgui. 2. If any monitored service fails, then monit will within 60seconds automatically restart that service and send a notification to Email address 3. If any monitored service is stopped manually on the ipcop command line then monitoring for that service will stop, restarting the service manually will NOT enable monitoring again 4. To re-enable monitoring of all enabled services, restart the monit service 5. The Monit Service Manager has a list of all currently monitored services 6. Authorization for Monit Service Manager: user admin and same password as in ipcop webgui ** Restart of monit service required Notes Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. %****************************************************************************************** POP3 Scanning Screenshot 04_webgui_pop3.png Options: Enable P3Scan to filter outgoing traffin on GREEN** Enable P3Scan to filter outgoing traffin on BLUE** Enable P3Scan to filter outgoing traffin on ORANGE** If a client in the GREEN, BLUE or ORANGE network initiates a pop3 session, which means that he tries to retrieve email from his pop3 server, then this pop3 traffic will be filtered according to the above settings BLUE and ORANGE interface options will only appear if these interfaces exist. If you wish to use POP3S (pop3-ssl) then leave the current settings of your email client just the way they are and only change the PORT number of your POP3 email server from 110 to 995 (DO NOT ACTIVATE SSL !) P3Scan will then automatically open an encrypted pop3s (pop3 ssl secured) connection from your ipcop machine to your pop3 email server and forward the emails to you. Stop virus emails and send virus notifications instead With these options you can enable or disable virus scanning of incoming pop3 email This will only work if either ClamAV or F-Prot (if installed) are enabled. If a virus is found in an email, the user will receive a virus notification message with - information about the detected virus - email delivery information (original sender, subject, recipients, date,..) - the complete unmodified header - if virus quarantining has been enabled, the filename containing the original message will be shown Depending on the quarantine settings the administrator would then be able to access the original file. Tag Spam in emails and modify the subject With these options you can enable or disable spam scanning If an email gets detected as spam it's subject field will be tagged with *** SPAM *** The user will still receive this email, with no further modifications of the original email. With this procedure any email client will be able to use its own message rules to automatically delete or move these spam messages. Rename dangerous email attachments With these options you can enable or disable attachment renaming Emails with bad attachment will be tagged in the subject field with *** renamed attachment *** The attachment will be renamed to "originalattachmentname_originalextension.bad" This list of bad attachments can be viewed in the webgui -> Copfilter AntiSpam for more information Sanitize and clean emails containing HTML This option will modify an email so that it is safe for viewing, the modification depend on the used sanitizer. P3PMail for example removes all dangerous html tags. Add Copfilter Comment to Header If this option is enable copfilter will add email headers of every email, an example: X-Filtered-With: Copfilter Version 0.1.0beta1 (P3Scan 2.1.99-00dev) X-Spam-Scanned: SpamAssassin 3.0.2 X-Virus-Scanned: ClamAV 0.83/833 - Sat Apr 16 04:31:36 2005 X-Virus-Scanned: F-PROT 4.5.4 Engine version: 3.16.6 X-Virus-Scanned: SIGN.DEF 15 Apr05 - SIGN2.DEF 16 Apr05 - MACRO.DEF 15 Apr05 The X-AntiVirus line will only appear if virus scanning was enabled. The X-AntiSpam line will only appear if spam scanning was enabled. The following lines will appear in the header if appropiate X-Copfilter:Sender is in whitelist, skipped SpamAssassin X-Copfilter:Client is part of our network, skipped SpamAssassin Send a copy of virus notification to Email address This allows an administrator to get a copy of every virus notification message. Use Copfilter Whitelist If sender address is in Copfilter Whitelist, spam spam scanning will be skipped. This Email Header will be inserted: X-Copfilter:Sender is in whitelist, skipped SpamAssassin This does not affect virus scanning, meaning that all emails whitelisted email address will still be scanned for viruses. Quarantine spam emails if ... ... if score is greater than: 5-40 Emails containing a spam score greater than the configured value will be quarantained Users will receive a notification. The POP3 Protocol does not allow email discarding during POP3 retrieval (so these notifications cannot be disabled) Quarantine virus infected emails This option will save an original copy of a virus infected email in the quarantine. If it is set to off then all infected emails will be deleted immediately. Remove emails in quarantine if older than (in days) Any emails in the POP3 quarantine will be deleted if they are older than this amount of days. Notes: Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of p3scan service is required if one of the following options has been modified: (the option "Skip Service Restart" can be checked none of below options have been changed) Enable P3Scan to filter outgoing traffin on GREEN** Enable P3Scan to filter outgoing traffin on BLUE** Enable P3Scan to filter outgoing traffin on ORANGE** %****************************************************************************************** SMTP Scanning Screenshot 05_webgui_smtp.png Options: Enable ProxSMTP to filter outgoing traffic on GREEN* Enable ProxSMTP to filter outgoing traffic on BLUE* Enable ProxSMTP to filter outgoing traffic on ORANGE* If a client in GREEN, ORANGE or BLUE initiates a smtp session, which means that he tries to send an email from to his smtp server, then this smtp traffic will be scanned according to the above settings BLUE and ORANGE interface options will only appear if these interfaces exist. Stop virus emails and opt. send virus notifications instead (see below) This will only work if either ClamAV or F-Prot (if installed) are enabled as well. With these options you can enable or disable virus scanning If a virus is found in an email, the user will receive a virus notification message with - information about the detected virus - email delivery information (original sender, subject, recipients, date,..) - the complete unmodified header - if email quarantining has been enabled, the filename containing the original message will be shown Depending on the quarantine settings the administrator would then be able to access the original file. Tag Spam in emails and modify the subject With these options you can enable or disable spam scanning If an email gets detected as spam it's subject field will be tagged with *** SPAM *** The user will still receive this email, with no further modifications of the original email. With this procedure any email client will be able to use its own message rules to automatically delete or move these spam messages. Rename dangerous email attachments With these options you can enable or disable attachment renaming Emails with bad attachment will be tagged in the subject field with *** renamed attachment *** The attachment will be renamed to "originalattachmentname_originalextension.bad" This list of bad attachments can be viewed in the webgui -> Copfilter AntiSpam for more information Sanitize and clean emails containing HTML This option will modify an email so that it is safe for viewing, the modification depend on the used sanitizer. P3PMail for example removes all dangerous html tags. Add Copfilter Comment to Header If this option is enable copfilter will add email headers of every email, an example: X-Filtered-With: Copfilter Version 0.1.0beta1 (P3Scan 2.1.99-00dev) X-Spam-Scanned: SpamAssassin 3.0.2 X-Virus-Scanned: ClamAV 0.83/833 - Sat Apr 16 04:31:36 2005 X-Virus-Scanned: F-PROT 4.5.4 Engine version: 3.16.6 X-Virus-Scanned: SIGN.DEF 15 Apr05 - SIGN2.DEF 16 Apr05 - MACRO.DEF 15 Apr05 The X-AntiVirus line will only appear if virus scanning was enabled. The X-AntiSpam line will only appear if spam scanning was enabled. The following lines will appear in the header if appropiate X-Copfilter:Sender is in whitelist, skipped SpamAssassin X-Copfilter:Client is part of our network, skipped SpamAssassin Send user a virus notification with information about the originally sent email containing the virus This option allows enabling or disabling the client virus notifications. Send a copy of virus notification to Email address This allows an administrator to get a copy of every virus notification message. Enable ProxSMTP to filter incoming traffic on RED and forward to internal Email Server This option will enable scanning of incoming SMTP traffice, this is useful if you are running your own SMTP server and you receiving email via SMTP to your own mail server, for security reasons it is recommended to put the email server into the DMZ (orange) network. Do not enter a port forwarding in IPCop/Firewall/Portforwarding. The necessary rules are being maintained by copfilter and will not be shown in the IPCop webgui. The rules which will be entered, will be shown upon starting proxsmtpd. Be aware that this option opens port 25 on your firewall which will then be transparently redirected to an internal email server. This means that your internal email server will be open on port 25 to the internet ! All incoming emails will be resent from your ipcop firwall to your mail server, which means that if you allow relaying from your ipcop's ip address, you mail server will become an open relay !! Please use for example this site to test if your server is an open relay. Email Server is located in network Here you need to define the location of your Email Server Email Server IP Address All incoming email will be forwarded to this ip address Red IP Alias Address (if this is empty the current RED IP Address will be used) Here you have the option of defining an ip alias address, which would be an additional ip address you got from your provider, solely for email receival Red IP Alias Ethernet Interface Chosse which interface this new ip alias address should have. Discard (delete) all SMTP virus emails (virus quaranting and virus notifications will be disabled) All incoming SMTP email will be accepted and discarded (deleted) immediately, no virus quaranting will occurr, no virus notifications will be sent Discard (delete) all SMTP spam emails if ... ... if score is greater than: (spam quaranting above this score will be disabled) Emails containing a spam score greater than the configured value will be discarded. No spam quaranting above this score will occur. Discard (delete) all SMTP emails with dangerous attachments. Emails with dangerous attachments will be accepted and immediately deleted. Add email addresses from outgoing email to Copfilter Whitelist This option will extract any Recipient Email Addresses from outgoing STMP emails which originated from the GREEN, ORANGE and BLUE network. These addresses will then be entered into the Copfilter Whitelist .. except when sender=recipient, internal email address should not be added into the whitelist, as all incoming email to this address would then be whitelisted If you wish to only add email addresses, which originated in the GREEN network then copy this file /var/log/copfilter/default/opt/tools/bin/IpInSubnet.pl_add_email_address_to_whitelist_from_GREEN to this file /var/log/copfilter/default/opt/tools/bin/IpInSubnet.pl or simply edit /var/log/copfilter/default/opt/tools/bin/IpInSubnet.pl and modify it for your needs Disable all spam scanning on outgoing email from internal network If an email is sent from a computer located in the internal network (GREEN interface) then spam scanning will be skipped and this Header will be inserted into the email X-Copfilter:Client is part of our network, skipped SpamAssassin Enable Copfilter Whitelist modifications via email Any user will be able to send an email containing whitelist commands to any external email address. Copfilter will intercept, extract the commands and discard the email. The body of the email has to contain (multiple lines possible): copfilter_add_to_whitelist youraddress@domain.com copfilter_remove_from_whitelist adress@domain.com users can add email address to the whitelist only, blacklist commands will be ignored, any asterisk in an email address will not be valid, so no *@domain.com whitelist commands will be possilbe only the administrator is able to do this, this is because of security reasons, we don't want any user to blacklist any other users email Use Copfilter Whitelist and Blacklist All incoming emails which contain an email address (in the From field) from the whitelist will not be scanned from spam. This Email Header will be inserted: X-Copfilter:Sender is in whitelist, skipped SpamAssassin This does not affect virus scanning, meaning that all emails whitelisted email address will still be scanned for viruses. All incoming emails which contain an email address (in the From field) from the blacklist will be discarded immediately. Quarantine spam emails if ... ... if score is greater than: 5-40 Emails containing a spam score greater than the configured value will be quarantained Users will receive a notification. The POP3 Protocol does not allow email discarding during POP3 retrieval (so these notifications cannot be disabled) Send user a copy of quarantined spam email. If a spam email has been quarantined the user will receive a copy. Quarantine virus infected emails This option will save an original copy of a virus infected email in the quarantine. If it is set to off then all infected emails will be deleted immediately. Quarantine virus infected emails This option will save an original copy of a virus infected email in the quarantine. If it is set to off then all virus infected emails will be deleted. Remove emails in quarantine if older than (in days) Any emails in the SMTP quarantine will be deleted if they are older than this amount of days. - new option in webgui: REJECT_INSTEAD_OF_DISCARD_EMAIL to use 550 instead of 250 smtp code when discarding email PRO 550: 1. If spammer A runs smart spamming software, a 250 response could tag the email address as accepting spam, triggering more spam 2. If legit email is deleted as spam, the legit sender wont get a non-deliverable email notice. CON 550: 1. For every of those thousands of 550 rejected spam email, the sending email server would generate a NDR back to the sender. If the sender address has been forged, the wrong person will get the NDR, causing confusion and unnecessary internet traffic. Of course, if the sending mail server is a spam bot, then the spam bot would most probably not send a NDR, but if the sending mail server is a misconfigured mailserver (for example an open mail proxy), then NDR would be generated. Most spam emails are sent through spam bots, so activating Rejection instead of Discarding is recommendend. increase timeout setting in your email client when sending emails through copfilter, it should be set to the time your email client would need to send the largest email possible (for example if you want to send emails with max 10MB, then set the timeout the to time it takes to send a 10MB email) example: thunderbird -> Tools -> Options -> Advanced -> Connection Timeout (for example 10min) (restart thunderbird) Notes: Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of proxsmtpd service is required if one of the following options has been modified: Enable ProxSMTP to filter outgoing traffic on GREEN Enable ProxSMTP to filter outgoing traffic on BLUE Enable ProxSMTP to filter outgoing traffic on ORANGE Enable ProxSMTP to filter incoming traffic on RED and forward to internal Email Server %****************************************************************************************** HTTP Scanning Screenshot 06_webgui_http.png Options: Deny access to HTTP traffic containing browser exploits, phishing attempts and viruses, (this starts the HAVP proxy) This option will enable http virus scanning. If a virus is found access to that file will be denied and a webpage notifying you about the name of the virus will appear instead. HAVP only uses ClamAV as a virus scanner This will also work if ClamAV is disabled since it loads the ClamAV library when starting. For HTTP Scanning, the IPCop Proxy (squid) needs to be enabled. On english ipcop installation the web proxy gets started automatically. Enable Tranparent mode (affects Web Proxy) This will option will automatically enable the ipcop webproxy in transparent mode (only on english installations) HAVP Virus Log (text) Some havp virus statistics. If you enable Web Proxy logs then theses logs will also display the ip address of computer from which the virus infected webpage was requested Filter HTTP traffic for Internet Junk (ads, banners, jumping-windows,..) This options activates the privoxy internet junk filter. Privoxy only works if HAVP is enabled Privoxy reduces web browsing speed (only if CPU on the ipcop machine is slow), it could also affect voip/skype quality privoxy configuration this link will allow you to configure privoxy settings privoxy bookmarklet this link will allow you to quickly enable or disable privoxy, just in case a website isn't displayed correctly with privoxy turned on (you could as well change the proxy settings) you can also set a bookmark to this link for quick access Notes: web proxy transparent mode, iptables redirect to port 800 / IPCop Machine / +---------------------------------------------+ / | | / 80 | 10080 800 | / 80 Internet <--- | <------ HAVP <- - - SQUID <------- | <- - - - Client - a web browser Webserver | ^10080 | ^800 | no proxy settings configured | | | | | | | 8118| | | 800 | +-- Privoxy < - -+ +---<------- | <------- Client - a web browser | | proxy setting to use port 800 | | +---------------------------------------------+ this has the following advantages: * all transparent, no web browser client proxy settings necessary * better web browsing performacne since privoxy filters out junk needed stuff first, before passing along to squid * maintains compatibility with other ipcop addons such as COP+, dansguardian, advanced proxy, urlfilter Privoxy works between HAVP and SQUID, if enabled HAVP acts as parent proxy to squid. Internet Junk: ads, banners, webbugs, unsolicited pop-ups, jumping-windows, ie exploits, html-annoyances, modifying web page content, and other obnoxious internet junk these settings can be customized here: /var/log/copfilter/default/opt/privoxy/etc/ added section to privoxy to easily whitelist domains: enable privoxy and point your browser to config.privoxy.org then choose "View & change the current configuration" then click on Edit right beside "/var/log/copfilter/default/opt/privoxy/etc/user.action" then in the first section (scroll down one page) where you will see the domain ".copfilter.org" click on the add button and add your domain in this manner ".yourdomain.com" (don't forget the leading dot) *** ONLY HTTP TRAFFIC ON PORT 80 WILL BE VIRUS SCANNED *** Means that if a web server is running on a port other than 80, then traffic to this web server will NOT be virus scanned ! So if only want to allow virus scanned HTTP traffic then you need to block traffic to any other ports. This could, for example, be done with a different ipcop addon named BlockOutTraffic: http://firewalladdons.sourceforge.net/blockouttraffic.html Notes Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of havp and privoxy service is required if any settings have been changed. Note 1. If Web Proxy is disabled, it will be enabled automatically, since HTTP Traffic Scanning will only work on Web Proxy Traffic. 2. All web browsers should be set up to use the Web Proxy except when: 3. No browser proxy settings are necessary if Web Proxy is configured in transparent mode 4. Delete the cache of your web browser and Web Proxy before trying to download the eicar testvirus and before accessing privoxy config and bookmarklet 5. Do NOT enter an upstream proxy in ipcop web proxy configuration! 6. If you wish to use an upstream proxy, configure the PARENTPROXY parameter in copfilter/opt/havp/etc/havp.config 7. Web Proxy logging will be enabled automatically, so that havp virus logs will work %****************************************************************************************** FTP Scanning Screenshot 07_webgui_ftp.png Options Deny access to virus infected FTP downloads on GREEN Deny access to virus infected FTP downloads on BLUE Deny access to virus infected FTP downloads on ORANGE BLUE and ORANGE interface options will only visible if these interfaces exist. This will only work if either ClamAV or F-Prot (if installed) are enabled as well. This option enables FTP traffic scanning for viruses. If a virus is found, access to that file will be denied and your client will fail to download the file. Be aware that when you try to download an ftp file it might appear that your ftp client (for example a web browser or a command line ftp utility) is hanging. This is so because the ftp proxy is already downloading the file in the background, and only sends a few bytes of this file to your ftp client. It will deliver the rest of the ftp file to your client only after it has fully downloaded and scanned the ftp file. Again: If you are using a web browser as an ftp client then you will receive the "save as" dialog only AFTER the ftp proxy has successfully downloaded and scanned the ftp file this could take a while so don't be confused if you do not get an immediate reply and if it seems that your web browser might be hanging. The ftp proxy will send some bytes to your web browser from time to time to prevent it from running into a timeout. Frox uses ClamAV as a virus scanner and F-PROT if installed Notes Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of frox service is required if any setting has been changed. %****************************************************************************************** AntiSpam Screenshot 08_webgui_antivirus.png SpamAssassin Statistics (text) This will show spam/ham statistics including: number of spam/ham messages received in each month of the year number of spam/ham messages received in each day of the current month and current year scanning information about the last 200 received ham and spam messages SpamAssassin Statistics selectable year, month -> will show statistics of that month, with percentage comparisons of ham and spam selectable year, month, day -> will show statistics of that day, with percentage comparisons of ham and spam Enable Spamassassin (necessary to detect spam) Enable this option if you want to enable spam detection, P3scan and ProxSMTP will not be able to detect spam if this option is off Copfilter Whitelist Manager A link to the Copfilter Whitelist Manager, which is a Blacklist as well Copfilter Spam Digest Manager A link to the Spam Digest Manager. Here you can enter the email addresses which should receive a spam digest notification message. Copfilter will search for those email addresses in the spam quarantine and send a digest notifiction message to each email address including brief information about the spam messages that email address has received, this is done once a day (at about midnight) Score required to identify email as spam (subject will be modified)* The threshold at which a email will be marked as spam. Razor, DCC, DNSBL* (improves recognition, decreases performance) Enable or disable additional spam checks which need to connect to the internet (dns lookup queries) this option greatly increases detection but email receival will be delayed (between 10-120sec depeding on the email) Send daily spam digest (only from emails in spam quarantine from the last 24h) to recipients in Digest Manager see the description above German Rules* This option will add additional german spam checks. SpamAssassin Bayes: Enable Bayesian Scoring in Spamassassin: Turn this on if you want bayes scoring in spamassassin (it will be active after the first bayes training) After training the Bayes classifier, examine the email headers of any new email, they should contain bayes scoring, similar to: * 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% Run bayes training daily (0:55): This allows you to train the Bayesian classifier in Spamassassin by fetching emails from a remote IMAP server. On the IMAP server, create two folders on the same level like INBOX: "spam" and "not-spam" Copy or move at least 200 spam and 200 not-spam emails into these folders (emails tagged as *** SPAM *** can be used as well) All spamassassin related tags will be ignored while training If you have additional email header fields which should be ignored (for example if you ISP adds some email headers then you should add these to /var/log/copfilter/default/opt/mail-spamassassin/etc/mail/spamassassin/local.cf use the bayes_ignore_header parameter) No bayes scoring will occur if less than 200 emails are trained Training takes about one hour for 400 emails Execute tail -f /var/log/messages on the console to follow the status if you like (per email one dot will be printed) Moving false negatives to the spam folder and false positves to the non-spam folder will improve bayes scoring significantly An email report with the results will be sent to Email Address Forwarding spam or non-spam email into a public folder is not an option since it will modify the email headers, users would need to copy email into these folders (an admin could move the spam non-spam messages if they were located somewhere else into these imap folders) IMAP Server: IMAP SPAM Username: IMAP SPAM Password: The spam or ham messages need to train the bayesian classifier in spamassassin need to reside on an imap server in a "spam" and "no-spam" folder at the same level as "inbox" These options will be used to login into the imap server and retrieve those messages. After a successful download the messages will be deleted from those folders. Rules Du Jour: improves recognition, but decreases performance* Enabling rules du jour will enable spamassassin to use lots of spam detection rulesets Current rules_du_jour spam rules: a list of currently used spam detection rulesets Automatic update: turn this on, if you want Copfilter to automatically download updates of spam detection rulesets may happen once in one or two months Manual update: manually start the spam detection ruleset update Run Bayes Training Now Execute the "Run Bayes Training Now" button (this will actually emtpy these folders on your IMAP server) Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of spamd service is required if any setting of these settings have changed: Enable Spamassassin (necessary to detect spam) Score required to identify email as spam (subject will be modified) Razor, DCC, DNSBL (improves recognition, decreases performance) German Rules Rules Du Jour The "Spam Quarantine" button will show a list of email messages, which were quarantined, because they were identified as spam. %****************************************************************************************** AntiVirus Screenshot 09_webgui_antispam.png ClamAV: Turn ClamAV on to enable virus scanning. P3Scan and Proxsmtpd will not be able to detect viruses if this setting is off. Treat an encrypted archives as viruses * If this option is enabled, clamav will treat encrypted archives as if they were viruses. This might be useful if a encrypted attachment contains a virus (the password might be in the email itself, encouraging users to open the encrypted attachment) ClamAV Statistics Text (immediate updates) This will show virus statistics including: List of most detected viruses (with percentage value) text statistics, viruses by hour/day/month and year exact number of viruses received in each month of the year exact number of viruses received in each day of the current month and current year list of the last 200 received viruses Graph (weekly updates, starts after one week) These statistics start after one week (the scripts will analyse only the rotated log files from logrotate, and the first rotation is in a week)) Current virus signatures: List of current clamav signatures with timestamps Automatic update: Enable automatic virus signature updating with this option Manual update: This allows a user to manually update the virus signatures, for example in an event of a virus outbreak if f-prot has been installed these menus will appear: F-PROT: Current virus signatures: List of current clamav signatures with timestamps Automatic update**: Enable automatic virus signature updating with this option Manual update: This allows a user to manually update the virus signatures, for example in an event of a virus outbreak Attachment renamer (renattach): Files with the following extensions will be renamed, if dangerous attachment scanning has been enabled. ADE, ADP, BAS, BAT, CHM, CMD, COM, CPL, CRT, EML, EXE, HLP, HTA, INF, INS, ISP, JS, JSE, LNK, MDB, MDE, MSC, MSH, MSI, MSP, MST, NWS, OCX, PCD, PIF, REG, SCR, SCT, SHB, SHS, URL, VB, VBE, VBS, WSC, WSF, WSH (manual configuration in renattach.conf) this is an information about attachment extensions which will be renamed if attachment renaming has been enabled in P3Scan or ProxSMTP The "Virus Quarantine" button will show a list of unmodified email messages, which were quarantined, because they contained a virus. Notes Clicking on the Save settings button will automatically restart the necessary services in order to apply your settings. Enable "Skip Service Restart" if you wish to skip restarting the service. Restart of clamd service is required if clamav settings has been changed. %****************************************************************************************** TESTING 10_webgui_test_and_debug.png Screenshot Send Test Virus Email Send Test Spam Email Send Test Email+dang. Attachment These options send emails to the Email Address given on the Email Settings page, for testing purposes. %****************************************************************************************** %****************************************************************************************** Setup Since the /var/log directory resides on the biggest partition on every ipcop installation, copfilter will be installed into /var/log/copfilter %****************************************************************************************** setup_util script command line parameters Usage: setup_util OPTION Options: -a, --addmenu add copfilter menu to the webgui (already done with -i) -b, --backup [FILE] backup current settings & logfiles (optional: backup file) -d, --default restore default configuration -i, --install [--force] install (or reinstall) copfilter (use force if already inst.) -f, --fprot FILE install fprot, FILE: download and copy fprot >GZIP-ed TAR file< to ipcop URL:http://www.f-prot.com/download/home_user/download_fplinux.html example: setup_util -f fp-linux-ws.tar.gz -r, --restore [FILE] restore configuration (optional: restore file) -R, --regrazor register razor -u, --uninstall uninstall copfilter and fprot -V, --version print version information and exit -x, --fixbackspace fix backspace key in vi Copfilter 0.80 for IPCop 1.4.4 and above by Markus Madlener http://www.copfilter.org overview template description+licensing building options copfilter integration configuration %****************************************************************************************** Network setup and Transparent proxying iptables erklaeren %****************************************************************************************** p3scan description+licensing - description from http://p3scan.sourceforge.net: This is a full-transparent proxy-server for POP3-Clients. It runs on a Linux box with iptables (for port re-direction). It can be used to provide POP3 email scanning from the internet, to any internal network and is ideal for helping to protect your "Other OS" LAN from harm, especially when used in conjunction with a firewall and other Internet Proxy servers. It is designed to enable scanning of incoming email messages for Virus's, Worms, Trojans, Spam (read as "Un-solicited Bulk Email"), and harmfull attachments. Because viewing HTML mail can enable a "Spammer" to validate an email address (via Web bugs), it can also provide HTML stripping. - scans pop3 traffic transparently, this means that no special configuration is needed on the client, the client doesn't even know that its pop3 mail is being scanned for viruses and spam - supports an external scanner script to enable scanning of emails (in this package mailscanner.sh) - if an email contains a virus, the email will not be delivered, instead the user will get an email from the p3scan daemon indicating the names of all found viruses, the names of the files containng the viruses, the sender of the email, the subject, date and time - if an email contains spam, the original message will be delivered but it will be tagged as spam in the message subject in this way Subject: *** SPAM *** [score/score_limit_to_be_recognized_as_spam] - gets started as root, but runs as a normal user "p3scan" - how does p3scan work ? an iptables rule on the local machine intercepts all outgoing pop3 transmissions, for example if a mail client tries to get email from pop3 server on the internet, and forwards these to port 8110 where p3scan is running. now p3scan downloads the email requested from the client and then forwards it back to the client this happens transparently, the client doesn't notice that a pop3 proxy is in the traffic chain, except for the delays this iptables rule is inserted at p3scan startup, if p3scan is stopped with the supplied script "/etc/rc.d/init.d/p3scan stop" then this rule is deleted and email receival should be as normal read the next 2 questions for more details pop3client <---> pop3proxy <---> pop3server ------- ----------- ---------- | | LAN |port 8110 | Internet |port 110 | | |----------------| |----------------| | | | | | | | ------- ----------- ---------- client machine ipcop pop3.yourprovider.com (example) mozilla, evolution p3scan netscape, outlook first your pop3client (evolution,mozilla,outlook,..) requests to download email from your pop3 server then the pop3proxy (p3scan) running on ipcop intercepts this request and starts downloading your email+attachments (this can take a while on a slow internet connection), in the meantime your pop3client doesn't get any data or packets from the pop3proxy (posibilly causing a timeout if the mail download on the server takes too long) after the download has finished the pop3proxy scans the fully downloaded email+attachments for viruses and for spam in the meanwhile the pop3client has to wait until the proxy finishes with scanning, during this time the pop3client doesn't get any answer from the pop3proxy and so the client runs into a timeout if the timeout values on the pop3client is smaller than the time it takes the proxy to finish scanning your email+attachments, the slower your connection the higher you should configure your timeout example: fetchmail: poll 195.3.96.71 protocol pop3 timeout 1200: outook 2000 10min Tools/Services -> internet mail service outlook XP 20min Tools/Services -> internet mail service if you are unsure configure the highest possible timeout values (max. about 20min) can be enabled/disabled from the webgui program gets started automatically at ipcop startup in this file /etc/rc.d/rc.local if its disabled p3scan will not be started at boot time manually stop/start p3scan Usage: p3scan {start|stop|debug|reload|restart|status} example: /etc/rc.d/init.d/copfilter_p3scan status configuration files: /var/log/copfilter/default/opt/p3scan/etc/p3scan.conf this is the main p3scan configuration file # not valid anymore, the correct place for the template is in langs/en.sh #/var/log/copfilter/default/opt/p3scan/etc/p3scan.mail # this is the email template used when informing the user that he received a virus infected email /etc/rc.d/init.d/copfilter_p3scan status: will show you the status of the p3scan and the status of the transparent iptables rules /var/log/copfilter/default/opt/tools/bin/mailscanner.sh in this file the actually mail scanning takes place to disable virus or spam scanning disable the appropiate sections in the webgui commands: /etc/rc.d/init.d/copfilter_p3scan stop issue this command to stop the virus and spam scanning emails will go directly through the firewall, without being checked ! (notice that the spamassassin spamd daemon will still be running, although they will not be used) use this if you are experiencing problems when downloading emails /etc/rc.d/init.d/copfilter_p3scan debug execute this INSTEAD of the p3scan start command (p3scan must not be running before executing this), then you can watch debug code on the console, very good for debugging problems in your mailscanner.sh file, watch what p3scan does with your email while your client downloads them p3scan will stop to scan emails if free disk space is below 20MB (configurable in p3scan.conf) if you want to deactivate p3scan, so that it doesn't get started, and so that it doesn't get used -> disable it in the webgui - how to i debug p3scan you can then start p3scan again in debug mode to check whats wrong while trying to receive email "/etc/rc.d/init.d/p3scan debug" -> now try to receive email from mail client and watch the screen output %****************************************************************************************** *** SMTP Scanning - description from http://memberwebs.com/nielsen/software/proxsmtp/ - ProxSMTP is a flexible tool that allows you to reject, change or log email based on arbitrary critera. It accepts SMTP connections and forwards the SMTP commands and responses to another SMTP server. The 'DATA' email body is intercepted and filtered before forwarding. You need to be able to write the filtering scripts that integrate it with your particular needs. similarly and uses a similar code base. ProxSMTP can also be used as a transparent proxy to filter an entire network's SMTP traffic at the router. - scans smtp traffic transparently, this means that no special configuration is needed on the client, the client doesn't even know that its smtp mail is being scanned for viruses and spam %****************************************************************************************** *** HTTP Scanning - description from http://havp.sourceforge.net/ HAVP is a proxy with an anti-virus filter. It does not cache or filter content. At the moment the complete traffic is scanned. A reason for that is the chance of malicious code in nearly every filetypes e.g. HTML (JavaScript) or Jpeg. I hope to stop especially dialer or browser exploits. But writing a http Anti Virus Proxy is a dilemma! Hugh downloads are a problem for virus scanning proxies. A Client should not receive data which is unchecked by the virus scanner, but big download must not timeout. Main aims of Havp are: Continuous and non-blocking downloads Smooth scanning of dynamic and password protected homepages - uses ClamAV as a virus scanner - i'm still receiving viruses (eicar.com, etc) - is havp not working ? 1. clean your web proxy cache (ipcop -> services -> proxy -> clean cache) 2. clean your browsers cache (firefox, ie, etc..) 3. restart your browser 4. try again :-) privoxy - description from http://www.privoxy.org: Privoxy is a web proxy with advanced filtering capabilities for protecting privacy, filtering web page content, managing cookies, controlling access, and removing ads, banners, pop-ups and other obnoxious Internet junk. Privoxy has a very flexible configuration and can be customized to suit individual needs and tastes. Privoxy has application for both stand-alone systems and multi-user networks - privoxy forwards its traffic to squid, and squid request the websites from the internet - there is a filter to make quiktime movies "savable" - gets started as root, but runs as a normal user "privoxy" - can easily be turned on and off with a bookmarklet (read MANUAL for details) program gets started automatically at ipcop startup in this file /etc/rc.d/rc.local manually stop/start privoxy Usage: privoxy {start|stop|reload|restart|status} example: /etc/rc.d/init.d/copfilter_privoxy status configuration files /var/log/copfilter/default/opt/privoxy/etc/config main privoxy configuration file if local ip address is changed, change the "forward" and the "listen-address" parameter accordingly in this file /var/log/copfilter/default/opt/privoxy/etc/privoxy_default.action here the privoxy default actions are defined /var/log/copfilter/default/opt/privoxy/etc/privoxy_user.action enter your personal configuration here you can configure privoxy through a webgui at http://config.privoxy.org (this page is not loaded from the internet, instead it comes from privoxy on the ipcop machine) if you want to deactivate privoxy, so that it doesn't get started, and so that it doesn't get used disabled it in the webgui to use the "privoxy bookmarket" in the copfilter configuration window, privoxy and squid must be enabled, for this to work whitelist: search for "Copfilter - whitelist websites" in user.actions file and add your domain like this: .domain.com right below the .copfilter.org entry - how do i know if privoxy is working ? open the URL http://config.privoxy.org -> if you get a web configuration page of privoxy, installation is ok # old !!!!!! #- how does privoxy work ? # the privoxy daemon listens on port 8118 for requests, if any browser sends a request for a # web page to port 8118 to the machine where privoxy is installed, then privoxy accepts this # request, after processing it, the request gets forwarder to the local web proxy squid on port 800, which # then forwards the request to port 80 to a web server on the internet # so if somebody wants to use privoxy then squid should be enabled # # web browser <---> web filter <---> web proxy <--> web server # ------- -------------------------------- --------- # | | LAN |port 8118 port 800| Internet |port 80 | # | |----------------| |------------| | # | | | | | | # ------- -------------------------------- --------- # client machine ipcop machine ipcop machine www.ipcop.org (example) # mozilla, opera, privoxy squid # internet explorer # old !!!!!!!!!!!!! - how can i disable/enable privoxy quickly ? 2 possible solutions: a)make a bookmark to http://config.privoxy.org/toggle , here you can click on enable/disable or b) use a Bookmarklet: go to http://config.privoxy.org/toggle and use the Bookmarklets to make the toggle window popup example use "Privoxy - Enable" then you can enable/disable privoxy just by clicking on a bookmark! (IE:drag and drop the link to your favorites) - how can i disable above feature/disallow my users from deactivating privoxy? set "enable-remote-toggle" to "0" in the "config" file - where do i find a good docu about squid ? http://squid.visolve.com/squid/squid30/contents.html http://squid.visolve.com/squid/squid24s1/miscellaneous.htm#never_direct %****************************************************************************************** *** transparent ftp proxy - description from http://frox.sourceforge.net/ It is a transparent ftp proxy which is released under the GPL. It optionally supports caching (either through an external http cache (eg. squid), or by maintaining a cache locally), and/or running a virus scanner, on downloaded files. It is written with security in mind, and in the default setup it runs as a non root user in a chroot jail. - uses ClamAV as a virus scanner and F-PROT if installed %****************************************************************************************** *** AntiSpam if "Automatically add email addresses from outgoing SMTP Traffic to whitelist" is enabled then any incoming smtp or pop3 email from a sender which is in the whitelist will not be scanned for spam (improves performance!) local.cf # trusted_networks 212.17.35. Spam URI Realtime Blocklists http://www.surbl.org/ allow spam detection via DNS by inspecting if the message body contains content which is listed in SURBL (spammers frequently include a link to a website which would then be listed in SURBL) List of all SUBRL servers: http://spamassassin.apache.org/dist/rules/25_uribl.cf DNS Block Lists allows spam detection via DNS by inspecting if the ip address of the sending mail server is listed in a DNS Block List List of all DNSBL servers: http://spamassassin.apache.org/dist/rules/20_dnsbl_tests.cf p3pmail - p3pmail will parse dangerous html tags from email messages to make them safer for viewing. It does this by skipping the header of the email message before parsing it for dangerous HTML tags. Also, it will only parse html email, not normal email. It was designed for p3scan but can be used as a stand alone program. anomy The Anomy sanitizer is what most people would call "an email virus scanner". That description is not totally accurate, but it does cover one of the more important jobs that the sanitizer can do for you - it can scan email attachments for viruses. Other things it can do: * Disable potentially dangerous HTML code, such as javascript, within incoming email. * Protect you from email-based break-in attempts which exploit bugs in common email programs (Outlook, Eudora, Pine, ...). * Block or "mangle" attachments based on their file names. This way if you don't need to recieve e.g. visual basic scripts, then you don't have to worry about the security risk they imply (the ILOVEYOU virus was a visual basic program). This lets you protect yourself and your users from whole classes of attacks, instead of blocking individual exploits. spamassassin - added german rules to recognize german spam - additional X-Spam Tags will added in the mail header to describe why spamassassin marked the email as spam or ham - supports whitelists and blacklists - uses http://www.surbl.org/ - gets started as root, but runs as a normal user "spamd" program gets started automatically at ipcop startup in this file /etc/rc.d/rc.local manually stop/start spamassassin: Usage: spamd {start|stop|debug|reload|restart|status} example: /etc/rc.d/init.d/copfilter_spamd status configuration files: /var/log/copfilter/default/opt/mail-spamassassin/etc/mail/spamassassin/local.cf if you want to deactivate spamassassin, so that it doesn't get started, and so that it doesn't get used disabled it in the webgui body an email will not be modified if email has been tagged as SPAM (subject will contain *** SPAM *** AND the original subject) - how can i test if my email is scanned for spam ? have a look at the email headers, if any X-Spam headers the email has been scanned for spam (if the senders email address is whitelisted, then the email will not contain any spam headers) - how can i improve spam recognition ? enable the DNSBL lookups and rulesdujour rulesets in the webgui - what are these files about ? mail-spamassassin/default/share/spamassassin/* mail-spamassassin/etc/mail/spamassassin/* in this 2 directories i added rules for better recognition of spam - how can i configure copfilter so that spam mails get automatically deleted ? i don't recommend it, since the emails would then be gone for sure i recommend: create a new rule in your email client which automatically sorts emails with this special subject ***** SPAM ***** into a "spam" folder, this way you can take a quick look if there are any false positive mails and afterwards delete all of them manually, if you insist on deleting spam mails, you can configure this for SMTP in the webgui - what do the numbers in *** SPAM *** [16.22/07.00] mean ? the first number is the actual score the email got from spamassassin the second number is the actual configured minimum score which needs to be reached so that spamassassin marks the email as SPAM - can i change the minimum score which is needed so that a mail is marked as spam yes, in the webgui - some emails are not recognized as spam, what can i do ? check if spam recognition is working put the domain or the email address into the blacklist in the webgui - how can i start spamassassin in debug mode stop and then start the spam daemon in debug mode, then read /var/log/messages for details, while trying to receive email "/etc/rc.d/init.d/spamd stop" "/etc/rc.d/init.d/spamd debug" tail -f /var/log/messages -> now get email from a client and watch messages on screen output - an email was wrongly recognized as spam, or a spam mail was not recognized as spam, can i add email adresses or domains to white- or blacklists ? yes, add email adresses or whole domains to white- or blacklists in the webgui - whats the recommended score level ? required_hits n.nn (default: 5) Set the number of hits required before a mail is considered spam. "n.nn" can be an integer or a real number. 5.0 is the default setting, and is quite aggressive; it would be suitable for a single-user setup, but if you're an ISP installing SpamAssassin, you should probably set the default to be more conservative, like 8.0 or 10.0. It is not recommended to automatically delete or discard messages marked as spam, as your users will complain, but if you choose to do so, only delete messages with an exceptionally high score such as 15.0 or higher. - what is my average spam scanning time for identified spam messages (in seconds) ? look in the spam statistics in the webgui) (old: cat /var/log/messages |grep identified |awk '{s+=$12; i+=1} END {print "# of records is", i, " sum is", s, " average is", s/NR }' ) - how can i train the bayes component from spamassassin ? use the webgui, emails can be put on an imap server, and copfilter will retrieve them for training is you don't have any spam available try these (not recommended though, you should use your own): http://spamarchive.org/ http://wiki.apache.org/spamassassin/BayesInSpamAssassin?highlight=%28bayes%29 - if you're using SpamAssassin for non-commercial use, you may also want to turn on the MAPS rules, which are useful DNSBLs. Edit the user_prefs by entering pico $HOME/.spamassassin/user_prefs and add the following 4 lines: score RCVD_IN_MAPS_RBL 2.0 score RCVD_IN_MAPS_DUL 1.0 score RCVD_IN_MAPS_RSS 2.0 score RCVD_IN_MAPS_NML 2.0 - can i use my existing imap mail server (exchange, courier,...) to train spamassassin ? yes, see the webgui ########################## # old start - can i train spamassassin with pop3 emails ? If your final delivery is to an IMAP accessible MTA, you can set up an even easier way to do mistake-based Bayesian learning. Namely, you can create a LearnAsSpam folder. Rather than resending spam for learning, you can just move any false negatives (spam that got delivered to your inbox) to this folder. Then, every hour, those mails are pulled down (and deleted) from your IMAP server and learned as spam. Specifically, many installations of Exchange server support access via IMAP, so this solution is one of the easiest ways to enable end-user Bayesian training by Exchange users. To do this, we need fetchmail, which we can confirm is installed with (which fetchmail). First, we create a .fetchmailrc pico .fetchmailrc with our IMAP account information. This should look like the following, filling in your own information for the server, username, and password: poll mail.example.com protocol IMAP: user myusername with password mypassword Now make it only readable to you with: chmod 600 .fetchmailrc In your mail client, create a top level IMAP folder called LearnAsSpam. Now, to test if the setup works, move some spam into this folder. It's essential that this be real spam or else you'll mistrain your Bayesian learner. The path to fetchmail /usr/local/bin/fetchmail in the following command should be set to the results of (which fetchmail). From the command line, enter: /usr/local/bin/fetchmail -a -v -n --folder LearnAsSpam -m '$HOME/bin/sa-learn -D --spam' You should see debug information of fetchmail accessing your IMAP account and downloading one message at a time from the LearnAsSpam folder, and then debug info from sa-learn as it learns the message as spam. sa-learn is smart enough to automatically strip away the SpamAssassin markup, if any. The messages should have disappears from the your LearnAsSpam folder. Once that's working well, you're ready to create a cron job to automatically do this every hour. Enter the following commands: echo "0 * * * * /usr/local/bin/fetchmail -a -s -n --folder \ LearnAsSpam -m '$HOME/bin/sa-learn --spam' > /dev/null" > cronfile crontab cronfile crontab -l You should see the line starting with "0 * * * *" displayed. This means that you've set up a cron job to automatically run fetchmail every hour. In case you're curious, -a means all mail in the folder, -s is silent, -v verbose, -n means not to modify any headers, and -D turns on debugging in sa-learn. We redirect the output to /dev/null to avoid having cron email us the output from sa-learn about messages having been learned. You should exclude any headers known to you that may confuse the bayes filter. For example, I receive a "spam trap list" -- a mailinglist connected to a spamtrap. Any headers associated with this list should be ignored by the bayes filter. You do not have to worry about re-feeding the headers SpamAssassin generates into the bayes filter. The bayes filter knows these headers and automagically skips them. You then need to edit sa-learn.pl & set your imap settings. I haven't looked at integrating TLS yet, so I create an encrypted tunnel from the imap server to the spamassassin server (stunnel or ssh: ssh -T -n -C -x -q -N -R 1143:localhost:143 # old end ########################## *** razor - description from http://razor.sourceforge.net/ Vipul's Razor is a distributed, collaborative, spam detection and filtering network. Through user contribution, Razor establishes a distributed and constantly updating catalogue of spam in propagation that is consulted by email clients to filter out known spam. Detection is done with statistical and randomized signatures that efficiently spot mutating spam content. User input is validated through reputation assignments based on consensus on report and revoke assertions which in turn is used for computing confidence values associated with individual signatures. configuration files /var/log/copfilter/default/opt/mail-spamassassin/etc/mail/spamassassin/local.cf if you want to enable razor, set the "use_razor2" parameter to "1" use_razor2 1 its disabled by default, enable it to improve spam recognition *** dcc - description from http://www.rhyolite.com/anti-spam/dcc/ In early 2004, the DCC or Distributed Checksum Clearinghouse is a system of thousands of clients and more than 200 servers collecting and counting checksums related to more than 130 million mail messages per day. The counts can be used by SMTP servers and mail user agents to detect and reject or filter spam or unsolicited bulk mail. DCC servers exchange or "flood" common checksums. The checksums include values that are constant across common variations in bulk messages, including "personalizations." The idea of the DCC is that if mail recipients could compare the mail they receive, they could recognize unsolicited bulk mail. A DCC server totals reports of checksums of messages from clients and answers queries about the total counts for checksums of mail messages. A DCC client reports the checksums for a mail message to a server and is told the total number of recipients of mail with each checksum. If one of the totals is higher than a threshold set by the client and according to local whitelists the message is unsolicited, the DCC client can log, discard, or reject the message. Because simplistic checksums of spam would not be effective, the main DCC checksums are fuzzy and ignore aspects of messages. The fuzzy checksums are changed as spam evolves. Since the DCC started being used in late 2000, the fuzzy checksums have been modified several times. *** webuserprefs etc/spamassassin/local_webgui.cf *** rulesdujour - description from http://www.exit0.us/index.php?pagename=RulesDuJour RulesDuJour is a bash script intended to automatically download new versions of SpamAssassin rulesets as the authors release new versions - using static spamassassin rulesets backhair.cf chickenpox.cf weeds.cf (are no longer being updated) - using in rulesdujour update script: SARE_BAYES_POISON_NXM BOGUSVIRUS TRIPWIRE SARE_EVILNUMBERS0 SARE_EVILNUMBERS1 SARE_EVILNUMBERS2 RANDOMVAL SARE_ADULT SARE_SPECIFIC SARE_FRAUD SARE_BML SARE_SPOOF SARE_RANDOM SARE_OEM SARE_GENLSUBJ0 SARE_URI0 SARE_GENLSUBJ2 SARE_HTML0 SARE_HEADER0 SARE_REDIRECT_POST300 SARE_OBFU can be enabled/disabled from the webgui configurations file /var/log/copfilter/default/opt/tools/etc/rules_du_jour.conf currently these rulesets are used: BLACKLIST_URI TRIPWIRE ANTIDRUG EVILNUMBERS BIGEVIL RANDOMVAL MRWIGGLY SARE_ADULT SARE_FRAUD SARE_BML SARE_RATWARE you can add new ones here updates for above rulesets are available through configuration of update intervall of rules_du_jour in the webgui - rules du jour is trying to upate a list but hangs since the URL is not valid anymore, or since the URL is currently not working, what is happening ? rules_du_jour uses wget to retrieve the list, wget has a default timeout of 900sec (15min) #old before aborting the connection, rules_du_jour will probably update the rule_du_jour script if the URL is permanently down %****************************************************************************************** AntiVirus *** virusscanner clamav - an opensource project - is based on virus signatures from http://www.openantivirus.org - archive scanning, has builtin support for zip,gzip,rar2.0 and has external support for others - automatic download of new virus signatures, only get downloaded if newer ones are available - automatic smtp email delivery to inform user when new signatures have been installed includes version information of signatures and program, notice that for email delivery a very simple and small smtpclient is used, so there is no smtp daemon like sendmail running - gets started as root, but runs as a normal user "clamav" program gets started automatically at ipcop startup in this file /etc/rc.d/rc.local manually stop/start clamd Usage: clamd {start|stop|reload|restart|status} example: /etc/rc.d/init.d/copfilter_clamd status signature update intervall is configurable in the webgui if configured, clamav tries to download new virus signatures, if no newer updates are available, nothing will be downloaded, if ipcop is not connected, nothing will be downloaded as well configuration files /var/log/copfilter/default/opt/clamav/etc/clamd.conf this is the main configuration file for clamd (clamscan daemon) /var/log/copfilter/default/opt/clamav/etc/freshclam.conf this is the main configuration file for freshclam (automatic virus signature updater) if virus signatures are updated, you should get an email informing you about the successfull virus signature update with an information about the virus signature's date, but only if you correctly configured your email settings in the webgui execute the following to manually update the virus signatures: clamav: /var/log/copfilter/default/opt/tools/bin/check-updates_clamav.sh ... or click on "manual update" in the webgui show installed virus definition files dates: clamav: /var/log/copfilter/default/opt/clamav/default/bin/freshclam ... or check in the webgui if you want to deactivate clamscan, so that it doesn't get started, and so that it doesn't get used disable it in the webgui - how can i test if my email is scanned for viruses ? send yourself the testvirus eicar.com and see if it was blocked - how do i know if the virus signatures get updated ? check on the webgui or: check the version of the signatures: show installed virus definition files dates: f-prot -v |head |grep created freshclam |grep cvd (read MANUAL for exact program location) - how can i update the virus signatures manually ? use the webgui or - how can i change the virus signature download intervall ? use the webgui or - when clamav makes an update, i receive an email, how can i modify this email ? the email gets sent in this script /var/log/copfilter/default/opt/tools/bin/check-updates_clamav.sh if you want to modify something you would have to edit this script accordingly, basically i write some information to a temporary file $TMP_FILE3 and then the contents of this file gets sent via email with the command cat $TMP_FILE3 | - i have licence question with f-prot read the "license issues" section further above in order to download clamav updates from the nearest local mirror, edit this file /var/log/copfilter/default/opt/clamav/etc/freshclam.conf and if for example you live in germany change # Uncomment the following line and replace XY with your country #DatabaseMirror db.XY.clamav.net to # Uncomment the following line and replace XY with your country DatabaseMirror db.de.clamav.net a list of available mirros is available here: http://www.clamav.net/mirrors.html *** virusscanner avg from their website: AVG Free for Linux scores again AVG Free for Linux has been awarded "Recommended" status in a recent Personal Computer World review. The review stated that AVG was .an easy to use antivirus utility that.s well suited to new Linux converts.. Read the full review here. AVG protects users from the Internet Explorer error exploit Users of AVG Anti-Virus can be assured that they are not at risk from threats which exploit the recently published security error in MS Internet Explorer. All possible attacks are blocked by the AVG Resident Shield. All known variations of the exploit will be identified by the system as "Exploit.CVE-2006-1359". However, the GRISOFT analysts stress that the situation cannot be considered as final until the Microsoft patch release (planned for mid-April) has been installed. If you do not currently have sufficient protection against the latest Internet Explorer exploit then click here. Welcome to the AVG Free Web Site You are only moments away from enjoying the virus protection benefits of AVG Free. But before downloading the software for your home computer, please review the features of AVG Free and AVG Professional Single Edition side by side - then decide which software is the right solution for your needs. AVG Free Edition for Linux is based on the commercial AVG 7.1 for Linux Edition. and uses the same scanning engine "Thank you for your AVG Free program. . . . It has saved my system a few times in the past and today it has once again . . . Thank you, Grisoft!" - Ed L. "It has all the essentials, including a resident memory scanner, an e-mail scanner, and scheduled hard disc scans. But what really amazes us is the frequency of the virus definitions and application updates available from Grisoft." - Maximum PC *** virusscanner f-prot - available optionally based on use - a commercial produkt from frisk software international - free for home use - archive scanning, has builtin support for .zip,.cab,.tar,.gz - automatic download of new virus signatures, only get downloaded if newer ones are available - automatic smtp email delivery to inform user when new signatures have been installed (includes version information of signatures and program) a very simple and small smtpclient is used, so there is no smtp daemon like sendmail running - runs as root signature update intervall is configurable in the webgui if configured, fprot tries to download new virus signatures, if no newer updates are available, nothing will be downloaded, if ipcop is not connected, nothing will be downloaded as well #old start #every month fprot tries to download and install a new f-prot version (not signatures but program updates) #(this only happens if fprot virus signature updates are enabled) #if you want to prohibit this delete the file fprot_prg_counter # #execute the following to manually update the virus signatures: #fprot: /var/log/copfilter/default/opt/tools/bin/check-updates_f-prot.sh #... or click on "manual update" in the webgui #old end show installed virus definition files dates: fprot: /var/log/copfilter/default/opt/f-prot/default/f-prot -verno ... or check in the webgui if virus signatures are updated, you should get an email informing you about the successfull virus signature update with an information about the virus signature's date, but only if you correctly configured your email settings in /var/log/copfilter/default/etc/global_settings - do i have to pay if i use fprot ? read http://www.f-prot.com/products/home_use/linux/ for more details from their website: "F-Prot Antivirus for Linux Workstations is FREE for use by personal users on personal workstations" if you are a business, please buy fprot @ http://www.f-prot.com/products/corporate_users/unix/linux/mailserver.html here are the prices: http://www.f-prot.com/products/prices/price_unix_ms.html - do i have to pay for "F-Prot Antivirus for Linux x86 Mail Servers" even though i'm using "F-Prot Antivirus for Linux x86 Workstations" in copfilter ? .. based on a telephone call i had with fprot in germany, the answer is YES, but please confirm yourself - when i try to install fprot i get the following error message: -bash: setup_util: command not found you need to invoke setup_util like this (you forgot the leading ./ ) ./setup_util -f downloaded-fprot-installation-file usr local bin perl modules global_settings copfilter_functions setup_util init scripts build scripts (requires an ipcop build enviroment) translations mailscanner.sh copfilter.cgi php usr local bin perl modules global_settings copfilter_functions setup_util init scripts build scripts (requires an ipcop build enviroment) translations copfilter.cgi php - why is php installed the blacklist whitelist webgui uses php - how is php configured, how did you compile it ? open https://:445/cgi-bin/spam_webgui/info2.php mailscanner.sh - how does p3scan scan for viruses, spam etc ? p3scan intercepts the outgoing p3 connection and then starts mailscanner.sh (read MANUAL for exact location) which does the following: 0. renattach renames dangerous attachments 1. ripmime rips the email apart, message + attachments are separated 2. clamav the message and attachments are scanned for viruses with the clamav virus scanner 3. fprot the message and attachments are scanned for viruses with the fprot virus scanner 4. spamassassin the message and attachments are scanned for spam with the spamassassin spam scanner (spamc) *** renattach - description from http://www.pc-tools.net/unix/renattach/ renattach is a fast and efficient UNIX stream filter that can rename or delete potentially dangerous e-mail attachments. It's a highly effective way of protecting end-users from harmful mail content (worms/viruses) by disabling or removing attachments that may be accidentally executed by users. The filter is invoked as a simple pipe for use in a wide variety of systems. The 'kill' feature (which eliminates entire messages) can also help sites deal with resource strains caused by modern virus floods. can be enabled/disabled from the webgui configuration files /var/log/copfilter/default/opt/tools/etc/renattach.conf this is the main renattach config file here you can configure which attachments (based on extension) should be renamed by renattach, you can add or remove any file extension in this file - what is renattach quote from their website: renattach is a fast and efficient UNIX stream filter that can rename or delete potentially dangerous e-mail attachments. It's a highly effective way of protecting end-users from harmful mail content (worms/viruses) by disabling or removing attachments that may be accidentally executed by users. - how does renattach work, how can i disable/modify it ? this program is enabled by default, you can change its settings in renattach.conf if you want to disable it comment the line starting with "renattach" in p3scan.conf - renattach filters exe files, i don't want this, what can i do ? delete the EXE extension from the badlist line in renattach.conf - does renattach delete any attachments ? i configured it so that attachments are only renamed and not deleted ! but if you want this feature you can configure it - which attachments does renattach rename ? see the webgui *** ripmime ripMIME has a single sole pupose, to extract the attached files out of a MIME package it is being released under a BSD style licence *** formail formail is a filter that can be used to force mail into mailbox format, perform `From ' escaping, generate auto-replying headers, do simple header munging/extracting or split up a mailbox/digest/articles file. The mail/mailbox/article contents will be expected on stdin. If formail is supposed to determine the sender of the mail, but is unable to find any, it will substitute `foo@bar'. If formail is started without any command line options, it will force any mail coming from stdin into mailbox format and will escape all bogus `From ' lines with a '>' %****************************************************************************************** old... TESTING execute /root/copfilter/tests/make_all_tests.sh for all debug tests, this will send you + an email with a (harmless) exe attachment (to test renattach) + an email with a (harmless) virus attachment (to test virus scanner) + an email containing spam (to test spamassassin) + an email with the current clamav virus signatures + an email with the current fprot virus signatures (only if installed) - this will only work if you entered your email address and smtp server in the webgui like describe above - read the TESTING file for more details TESTING just execute the /var/log/copfilter/default/tests/make_all_tests.sh and the steps below will be performed, a logfile is written to make_all_tests.log, if any of below fails see MANUAL and FAQ for erros, debugging etc make_all_tests.sh will: ----------------------- 0. send you a test exe attachment email (to test renattach) you should check if the email you received has a renamed attachment so instead of getting test.exe as an attachment you should get test.exe.bad instead 1. send you a test spam mail (to test p3scan and spamassassin) a) you should check if the email you received has a changed subject: "***** SPAM ***** (XX/XX) " b) you should check if the email you received contains a "X-Virus-Scanner" line, then you actually know that the pop3 proxy (p3scan) is actually scanning your incoming pop3 emails c) you should check if the email you received contains a "X-Spam-Report" line in the email header, then you actually know that spamassassin (spamd) is actually scanning your emails for spam 2. send you a harmless testvirus mail (to test clamav and fprot) you should check if get a "found virus" email report, and if both f-prot and clamav found the virus (this info is included int the "found virus" email report 3. make a local spam test (to see if spamassassin is running) 4. download clamav signature updates and send you an update email you should check if you received such an email with the information about the current clamav virus signatures (date or version number of virus signatures) 5. make a local virus scan test with clamav check the output to see if clamav found the testvirus 6. download f-prot signature updates and send you an update email you should check if you received such an email with the information about the current f-prot virus signatures (date or version number of virus signatures) 7. make a local virus scan test with f-prot check the output to see if f-prot found the testvirus in 3. 5. and 7. you will see how much time (in seconds) the step took my results: intel celeron 300MHz, 128MB RAM SPAMASSASSIN: identified spam (8.1/7.0) for root:702 in 4.4 seconds, 873 bytes. CLAMAV: Time: 4.530 sec (0 m 4 s) F-PROT: Time: 0:00 amd athlon XP 2200MHz, running in a vmware session with 48MB RAM SPAMASSASSIN: identified spam (8.1/7.0) for root:702 in 1.4 seconds, 873 bytes. CLAMAV: Time: 1.255 sec (0 m 1 s) F-PROT: Time: 0:00 i'd like to include your results too if you have different hardware ************************** you can visit http://www.testvirus.org and send yourself a virus from this website as well ************************** examples of emails you will get 0. renattach - email with a renamed attachment Email Header: X-Filtered-With: renattach 1.2.1 X-RenAttach-Info: mode=badlist action=rename count=0 Subject: [renamed attachment] test mail from your ipcop machine with a .exe attachment Body: test mail from your ipcop machine with a .exe attachment 1. p3scan and spamassassin - changed email a) Subject: ***** SPAM ***** (16.22/07.00) test mail from your ipcop machine, VIAGRA a) Email Header: X-Virus-Scanner: P3Scan Version 1.0 by / b) Email Header: X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on verena.madlener.tk X-Spam-Level: **************** X-Spam-Status: Yes, hits=16.2 required=7.0 tests=BIZ_TLD,DOMAIN_BODY, EXCUSE_14,HTML_30_40,HTML_FONTCOLOR_UNKNOWN,HTML_FONT_INVISIBLE, HTML_MESSAGE,HTML_MIME_NO_HTML_TAG,MIME_HTML_ONLY,NO_REAL_NAME, OBFUSCATING_COMMENT,OFFERS_ETC,REMOVE_PAGE,SUBJ_VIAGRA,VIAGRA autolearn=no version=2.63 X-Spam-Report: * 0.3 NO_REAL_NAME From: does not include a real name * 2.8 SUBJ_VIAGRA Subject includes "viagra" * 1.8 DOMAIN_BODY BODY: Domain registration spam body * 1.9 VIAGRA BODY: Plugs Viagra * 0.2 OFFERS_ETC BODY: Stop the offers, coupons, discounts etc! * 0.2 EXCUSE_14 BODY: Tells you how to stop further spam * 0.1 HTML_FONTCOLOR_UNKNOWN BODY: HTML font color is unknown to us * 0.8 HTML_30_40 BODY: Message is 30% to 40% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 0.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 0.4 HTML_FONT_INVISIBLE BODY: HTML font color is same as background * 0.8 REMOVE_PAGE URI: URL of page called "remove" * 0.8 BIZ_TLD URI: Contains a URL in the BIZ top-level domain * 1.7 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag * 4.3 OBFUSCATING_COMMENT HTML comments which obfuscate text now you know that the email was successfully scanned for spam by spamassassin the X-Spam-Report line tells you which score the email reached, spamassassin marks an email as spam as soon as it reaches a certain score limit, different tests result in different scores, example: if no sender is defined, if 100% of the mail is HTML or if words like porn, viagra are found in the message -> then the score gets higher, the higher the score the more certain it will be spam (this test is to check scanning functionality) 2. fprot and clamav - "found virus" email report (with eicar.com testvirus) Subject: Virus found in a mail to you. Body: Hello XXXXXXX This mail was generated automatically from P3Scan, which runs on verena.madlener.tk.(none) for scanning all mails for spam and viruses. In a mail sent to you a virus has been found. Virus name: clamscan found virus *Eicar-Test-Signature* in email attachment *eicar.com* Sender of the email: Subject: (harmless) VIRUS test mail from your ipcop machine Connection date: POP3 from XXXXXXXXX:3236 to XXXXXXXXXXX:110 Message File: /var/log/copfilter/default/opt/p3scan/default/var/spool/p3scan/children/2595/p3scan.1Uzaii Instead of the infected email this message has been sent to you. The original email (including the virus) has been saved to a file in this directory: /var/log/copfilter/default/opt/p3scan/default/var/spool/p3scan The name of the file (containing the virus infected email) is the same as in the Message File description above. It starts with "p3scan." and ends with a combination of 6 random characters or numbers. An example: p3scan.fqlCuS -- P3Scan 1.0 by Jack S. Lai have a look at the Virus name line, here you will see which virus scanner found which virus, for example you see that clamscan AND fprot found the eicar testvirus ! with this method you can also see if one virus scanner failed to recognize a virus found by the other scanner !! 3. self explaining 4. clamav signatur update - Email Subject: clamav antivirus update Body: -------------------------------------- ClamAV update process started at Wed Apr 28 01:00:36 2004 main.cvd is up to date (version: 22, sigs: 20229, f-level: 1, builder: tkojm) daily.cvd updated (version: 287, sigs: 1047, f-level: 2, builder: tomek) Database updated (21276 signatures) from database.clamav.net (195.70.36.141). clamscan / ClamAV version 0.70 5. self explaining 6. fprot signatur update - Email Subject: f-prot antivirus update Body: F-PROT ANTIVIRUS Program version: 4.4.0 Engine version: 3.14.10 VIRUS SIGNATURE FILES SIGN.DEF created 11 March 2004 SIGN2.DEF created 11 March 2004 MACRO.DEF created 8 March 2004 7. self explaining support - where can i get further support, share my thoughts or offer help ? write me an email pls include ipcop.log make_all_tests.log (my email address can be found in FEATURES) you can take a look at the forums, boards etc further links are in LINKS file - where can i download the newest version of the package ? read the FEATURES file - how can i contact the author ? read the FEATURES file - what's the reason for that complicated package numbering/versioning ? read the FEATURES file - are any translations available ? please read the TRANSLATIONS file - is there a copfilter forum ? yes there is ! visit http://copfilter.endlich-mail.de/ mailing list *** explanation of the packet versioning - example: ipcop_addon_pkg_200402180112.tgz so 200402180112 means: 2004 year 02 month 18 day 01 hour 12 minute ...when package was compiled pls report any bugs or errors to me so that i can remove them and release a new package version pls also tell me if you found any private configuration in any of the files links ** programs used to administrate and transfer files to ipcop http://www.chiark.greenend.org.uk/~sgtatham/putty/ http://winscp.sourceforge.net/eng/ ** copfilter address: official site http://www.copfilter.org copfilter forum http://copfilter.endlich-mail.de ** ipcop address: official site http://www.ipcop.org unofficial addon server http://firewalladdons.sourceforge.net unofficial addon server http://www.dageek.co.uk/ipcop unofficial addon server http://www.supporting-role.net/software/ipcop/software-list.php ipcop images http://prdownloads.sourceforge.net/ipcop/?sort_by=date&sort=desc ipcop user list http://marc.theaimsgroup.com/?l=ipcop-user ipcop devel list http://marc.theaimsgroup.com/?l=ipcop-devel ipcop howto's http://www.netintegrity.com.au/tutorial/webindex.html ** ipcop support sites english http://ipcop.hopto.org english http://www.ipcops.net german http://www.ipcop-forum.de "IPCop und Modifikationen" french http://www.ixus.net dutch http://www.ipcop.nl are there any others ? ** etc various mail virus tests http://www.testvirus.org ** documentation: spamassassin's local.cf http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html ** OT (off topic): hosts file http://accs-net.com/hosts/get_hosts.html http://accs-net.com/hostess/ http://www.pestpatrol.com/Support/HowTo/How_To_Block_Ads.asp http://remember.mine.nu/ http://asp.flaaten.dk/download/pafiledb.php?action=category&id=2 http://www.smartin-designs.com/ - where can i find other firewall distros? Mandrake MNF http://www.mandrakesoft.com/products/mnf Smoothwall http://www.smoothwall.org express version for free (this is what ipcop forked from) E-Smith SME http://www.e-smith.org free ClarkConnect http://www.clarkconnect.org free home edition m0n0wall http://neon1.net/m0n0wall/ for embedded PCs, free Engarde http://www.engardelinux.org sentry http://www.sentryfirewall.com/ commercial: Astaro http://www.astaro.com/ free for home use Gibraltar http://www.gibraltar.at binaries included: copfilter_add_to_list copfilter_check-updates_clamav copfilter_check-updates_f-prot copfilter_cron copfilter_make_test copfilter_reconfigure copfilter_restartclamd copfilter_restartfrox copfilter_restarthavp copfilter_restartp3scan copfilter_restartp3scan_debug copfilter_restartprivoxy copfilter_restartproxsmtpd copfilter_restartproxsmtpd_debug copfilter_restartspamd copfilter_sendexeattachment copfilter_sendtestspam copfilter_sendtestvirus copfilter_updates_rules_du_jour altermime alterMIME v0.3.5 (18-Sep-2004) by Paul L Daniels - http://www.pldaniels.com/altermime formail ncftp 3.1.7 ncftpget renattach ripmime rules_du_jour rules_du_jour_instant sendEmail sendEmail-v1_42-smtp-auth smtpclient time unzip wget sanitizer.pl clamscan fetchmail 6.2.5 havp spamassassin p3pmail p3scan php 4.3.11 privoxy 3.0.3 razor-client 2.67 proxsmtpd troubleshooting and FAQ errors - i'm having troubles sending emails to the internal email server please try find out if this error is caused by copfilter (proxsmtpd), this can be tested by simply stopping the proxsmtpd service and adding a port forwarding rule to IPCop by using its webgui Firewall/Port Forwarding If the error is still the same, then the error is not being caused by copfilter or proxsmtpd since the traffic is bypassing the firewall/copfilter without modification don't forget to remove the port forwarding rule before starting proxsmtpd again - i get these errors on the console: /var/log/copfilter/default/opt/monit/etc/monitrc:1lError synatax error 'from' Init: Id "no" respawning too fast: disabled for 5 minutes. this means that you have not yet entered your email address in the copfilter webgui - my emails are not being spam scanned please check if the email address is the whitelist - i have updated ipcop now the copfilter entry in the webgui, my crontab entries or something else isn't working execute /root/copfilter/setup_util -i --force if this doesn't help uninstall and re-install copfilter - i'm trying to install copfilter but when i try to extract it with the command tar xzvf copfilter-0.0.95.tgz i get the following error Gzip: stdin: not in Gzip format Tar: child returned status 1 Tar: error exit delayed from previous error this means that the file you downloaded has not been downloaded complety, or there were some error when downloading, try to download the whole file again and extract once more also disable your local antivirus program, as it could prevent you from downloading copfilter also try to download the file directly, without a download manager or without a proxy inbetween - i'm getting this or a similar error when running the test email scripts: sendEmail - EXITING - The remote server returned the error: 554 SMTP synchronization error just try again, sometimes the smtp server or the smtp client don't respond in time - HELP, i can't download anymore emails, what can i do ? just stop the pop3proxy by doing a /etc/init.d/rc.d/p3scan stop and everything should be as it was before you installed this package - what should i do if my email client reports an error that a timeout on email receival has occured ? check if p3scan is running via "/etc/rc.d/init.d/p3scan status" if its running then try to stop it (no mail and spam scanning will occur) if its not running try to stop it with the "/etc/rc.d/init.d/p3scan stop" command - i configured lots of settings in varios configurations files, and after updating all changes are gone are they lost ? no they, all of the files you configured are still in the /var/log/copfilter// then this email has been scanned and passed through copfilter or send yourself a testspam or a testvirus email to receive a in the subject ***SPAM*** tagged spam mail or a virus notification email possible through the command line /var/log/copfilter/default/tests/make_all_tests.sh or in the webgui by activating the following checkbox and clicking on "Save settings and activate" "Test all functions (logs to screen)" or even from a website: http://www.testvirus.org performance - why are my pop3 emails all of a sudden downloading so slow copfilter has to download an email first complety on the ipcop machine, then scan it for viruses and spam and then it will send it to your email client, this takes time you can increase this speed significantly by deactivating the spam scanning which uses most of the time needed to scan the email - why do i have such a poor network throughput when copying the package from windows with pscp to ipcop ? thats a putty problem, update to a version greater than 0.54 - how can i accelerate the scanning pop3 email scanning and retrieval ? only by deactivating some features, but this which will degrade spam regonition and virus recognition - how can i improve spam recognition: configure the webgui - performance is so bad, can i have my ipcop machine download (example with fetchmail) and scan all emails in the background, so that i can fetch them to my email client much faster than doing this online ? no this package is not an email server only a pop3 proxy, but i'm considering adding above in a separate package, don't ask me when, maybe soon, maybe never, i'll announce it on my webpage - how can i decrease memory usage ? deactive rules_du_jour and german rules, or deactivate spamassassin which uses lots of ram mail issues - how can i view an attachment from an email in quarantine copy and paste the message to a new text file with a .msg extension and view open it in outlook for example (or use a mime decoding utility) network issues - what is or how do i configure ipcop portforwarding, external access, which traffic is allowed by default, which kind of traffic do i have to explicity configure? have a loot at http://www.ipcop.org/1.4.0/en/admin/html/section-firewall.html - i'd like some users of the RED zone to access my mail server in ORANGE (not verified by myself, but peter told me that this works for him) step by step guide from peter dot schnuerer at schnuerer dot com 1. install package 2. open ipcop remote-access port 8110 in services 3. remove all ip forwarding in "services" of ipcop for the mail sedrver 4. edit /var/log/copfilter/default/opt/p3scan/etc/init.d/p3scan replace each appearance of eth0 with eth2 or what ever "RED" interface is in start() and debug() function enter before the line #start daemon: iptables -t nat -A OUTPUT -j DNAT -d MY_PUBIC_MAIL_SERVER -p tcp --dport pop3 --to-destination MY_DMZ_MAIL_SERVER_IP:110 > /dev/null 2>&1 in debug() and stop() function after the line iptables -t nat -F P3SCAN > /dev/null 2>&1 iptables -t nat -D OUTPUT -j DNAT -d MY_PUBIC_MAIL_SERVER -p tcp --dport pop3 --to-destination MY_DMZ_MAIL_SERVER_IP:110 > /dev/null 2>&1 - if in some case your emails are scanned when they shouldn't or the other way around, and you are using an internal pop3 mail server on ORANGE, check if you are using the public domain name (ex. pop3.mydomain.com) from the ipcop machine instead of an interal mail server ip address for example in the orange network (192.168.2.100) in the pop3 client settings - where can i get some more docu on iptables org location: http://www.netfilter.org/documentation/index.html#documentation-faq debian docu: http://qref.sourceforge.net/Debian/reference/ch-gateway.en.html#s-netfilter-basics great article in german: http://www.heise.de/security/artikel/38220 SNAT/DNAT in german: http://www.netfilter.org/documentation/HOWTO/de/NAT-HOWTO-6.html#ss6.1 - how does netfilter (iptables) process packets: answer from: http://www.netfilter.org/documentation/index.html#documentation-faq Netfilter process packets use five built-in chains: PREROUTING, INPUT, FORWARD, OUTPUT, and POSTROUTING. routing decision IN ------> PRE ---> ------> FORWARD -----> ----> POST -----> OUT interface ROUTING \ filter / ROUTING interface DNAT | tracking ^ SNAT REDIRECT | | MASQUERADE v | INPUT OUTPUT | filter ^ filter,DNAT v | \--> Local Process --/ user-space programs - how are the 3 netfilter tables called and how can i display their contents ? * filter iptables -L -vnx * nat iptables -L -vnx -t nat * mangle iptables -L -vnx -t mangle - how can i zero all counters iptables -t nat -Z - how do i get rid of these type of messages in /var/log/messages (i get so many that it just doesn't make any more sense) Mar 12 13:17:33 hostname kernel: INPUT IN=ppp0 OUT= MAC= SRC=X.X.X.X DST=X.X.X.X LEN=44 TOS=0x00 PREC=0x00 TTL=114 ID=54627 DF PROTO=TCP SPT=2713 DPT=1433 WINDOW=8192 RES=0x00 SYN URGP=0 get rid of the msgs until next reboot: /sbin/iptables -D INPUT -m limit --limit 10/minute --limit-burst 5 -j LOG --log-prefix "INPUT " disable msg logging at boot cat /etc/rc.d/rc.firewall | sed -e '/ -A INPUT -m limit --limit 10\/minute -j LOG --log-prefix "INPUT "/d' >/tmp/rcf mv /tmp/rcf /etc/rc.d/rc.firewall chmod 755 /etc/rc.d/rc.firewall above line deletes the specific entry from your firewall ! - ftp active/passive article: http://slacksite.com/other/ftp.html question regarding other mail servers: - does this package support MS Exchange server ? not directly, but you can enable smtp forwarding to your exchange server another possibility: if you are looking for a free spam/virus checker for exchange you might want to check out http://assp.sourceforge.net there is a win32 installer for assp @ http://www.andersonit.com/assp.html, but i have never tested it before, please report if this works for you, so that i have an answer for other users if they ask (lots of people ask me for exchange support ...) - how can i transfer pop3 email to my exchange server ? i found this, but i don't know if it really works: SmartPOP2Exchange V5.0 http://www.jam-software.com/smartpop2exchange/index.shtml - i have a mail server running on my ipcop machine, does this package work for me as well ? a user reported he had postfix running and it didn't affect copfilter i guess fetchmail could work as well - is this addon supported on Mandrake MNF, Smoothwall, E-Smith, Clarkconnect,... NO, this addon is only supported on IPCop, and i will not make it compatible to any other distro, but if you like, modify the addon yourself and inform me of its availabiltiy so that other users can benifit from it, you can also ask me for support on porting to a different distro