Mail filtering with Joe's j-chkmail

Table of Contents

What's j-chkmail
Download
j-chkmail license
Technical Specifications
Documentation, Info, ...
Links, ...
Authors, ...

Introduction - What's j-chkmail ???

J-chkmail is a mail filtering software using the API milter of sendmail (versions 8.12.0 and later). Yet another filter...

At the beginning, it was developed to satisfy the needs of our mail server in terms of anti-virus protection. Number of active users, traffic level, number and volume of messages carried out by our mail system seemed to be too high to use a traditional anti-virus scanner. Moreover, there were some other type of mail filtering we wanted to do.

So, instead of looking for "messages carrying virus", we decided to look for "messages carrying unsafe files". "Unsafe" files are file types which may have scripts or executable code associated with it. Hereafter, we use the expression "X-file" as a synonym of "unsafe file".

Most of virus are contained in X-files and very most of e-mail viruses are X-files. On the other hand very few real messages contains X-files.

Let us remind how virus propagate. "To facilitate" the users life, some mail clients open automatically attached files when they arrive at recipients input mailbox. Certain viruses take advantage of this fact to settle down and infect your computer (even without clicking, you are contaminated!). The others suggest you clicking a link "to show the photos of a holiday": you click, you see nothing, but the virus settled down. Immediately, it uses your address book to send itself, without your knowledge, to all your correspondents. Besides the damages caused by the destruction of your files, certain viruses send fragments of files (sometimes confidential) presents to your computer to all your correspondents. It can create delicate situations...

The idea of our filter is to block any unsafe attached file susceptible to contain a virus and to be opened automatically by the mail client software. As we said before, unsafe files are files to which scripts and executable code may be attached or files which may send you to some web site without asking you if you want to go to. When the filter stops this kind of message, sender and recipients will receive a replacement message instead of the original message, telling the reason of that.

But certain users can legally need to send "unsafe" files. To do that, it suffices to change file extension (to replace " .exe " by " .toto ", for example) and inform recipients. This way, received attached file will not be automatically opened when arriving at recipient mailbox. Recipient will restore original file extension and process incoming attached file as he wants.

With respect to filtering based on attached files, j-chkmail isn't an anti-virus! It's rather a filter of unsafe file ! What's the interest?

First of all, anti-viruses are great consumer of computer resources. After some level of traffic, it is necessary to have rather powerful mail servers, to use such anti-virus software on mail gateways/servers. In our mail server (a Sun Enterprise 250, a real anti-virus takes usually 0.5 to 2 seconds to scan a message. j-chkmail built-in scanner takes 10 to 50 ms to scan a message.

As unsafe files are always the same, you're not concerned by issues such as signatures update procedures and fees.

This system is very effective. It blocks the majority of the viruses in traffic: on average, on our server, 200 to 250 viruses a day, with a rate of extremely weak false alarm - fewer ten in two months of functioning. For info, our mail server of handles more than 100 000 messages a week. At this level of traffic, the use of a standard anti-virus software would too much reduce performances of the server.

But j-chkmail isn't perfect and you should still use an anti-virus - up to date! - on the users work-stations. Mainly, j-chkmail does not filter other kinds of viruses such as Word and Excel macro virus.

On the other hand, there is certain number of interesting features which can not be realized with the standard version of sendmail. For example, you could use e-mail list of addresses classified "intranet", who should be able to receive mail from that local machines or known networks or "friends".

j-chkmail intends to be as scalable as possible to add new interesting features. Each filtering capability should be enabled and fully configured at a configuration file.

Download

j-chkmail current version is 1.01.

j-chkmail V.1.1RC1 is the next stable release - take a look at ChangeLog to see what's new.

You can find j-chkmail distributions at :

http://j-chkmail.ensmp.fr/download - official j-chkmail download page.
http://sourceforge.net - sourceforge.net download page
http://ftp.falsehope.com - rpm distribution - Thanks to Henri Gomez
http://freshmeat.net - freshmeat mirror for rpm format

License

j-chkmail is distributed under general GPL license

Specifications

j-chkmail features

j-chkmail was written in C language and uses the sendmail milter API. j-chkmail does mail filtering at server level.
j-chkmail was validated at Unix boxes running Solaris 8 and Linux.
j-chkmail intends to be as scalable as possible. Every feature should be enabled and fully configured at configuration files.
j-chkmail filters messages containing unsafe files. The "unsafe" category represents any extension that may have script or code associated with it (a virus, for example). This kind of file is what we call X-file. X-files are defined at configuration files by their filename extension or regular expressions appearing in their filenames.
This kind of filtering is done by an internal mail scanner. In case of X-file detection, j-chkmail can be configured to do nothing, to silently discard message, to reject message and to replace original message by a warning message sent both to sender and recipients.
You can get more information about X-files at http://support.microsoft.com or http://www.cknow.com/ctutor
j-chkmail can be used as a front-end to external scanners such as anti-virus command line scanners. Nowadays, supported anti-virus scanners are Sophos, NAI McAfee and Trendmicro.
Response time of j-chkmail internal scanner is some tenth of ms measured at a Sun Ultra 5 workstation running Solaris 8. External anti-virus scanners response times varies between 0.5 to 2 s.
Temporary storage of rejected messages for posterior analysis.
Possibility of definition of known or trusted IP networks which will be associated to your domain, to your local network and to your "friends". This notion will be used to build some other filtering capabilities.
Intranet e-mail addresses - j-chkmail can reject messages addressed to users listed at a configuration file if the smtp connection doesn't come from a trusted known IP network.
Conformance of header fields (To, CC, BCC and From). j-chkmail may reject messages without any recipient header field (To, CC and BCC), or without a valid sender declaration (envelope or from header).
Mail filtering based on the number of recipients and the IP network the smtp connection comes from.

Requirements

Sendmail version 8.12.0 (or newer) compiled with milter option enabled. We strongly recommends to use sendmail version 8.12.3 or newer.
Disk free : 2 or 3 Mo for the software. You may need some more free place to store log files. Disk place needed for log files depends on the traffic level, log level, and life time of archived log files. At our server, j-chkmail log files uses a third of the placed used by sendmail log files.
j-chkmail uses needs about 5 Mo RAM memory.

Documentation

Installing j-chkmail - Documentation de installation.
Running j-chkmail - running
Frequent Asked QuestionsFAQ.

Authors

j-chkmail was written by Jose Marcio Martins da Cruz - Centre de Calcul de l'Ecole des Mines de Paris.
j-chkmail integrates libmilter - a library written by sendmail.org.
Binary rpm packages are maintained by Henri Gomez

Jose Marcio Martins da Cruz martins@ensmp.fr