Re: [fw-wiz] Traffic Monitoring

From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
Date: 05/07/03

  • Next message: Sutantyo, Danny: "RE: [fw-wiz] Re: PIX FW Failover & Hello Packet"
    To: firewall-wizards@nfr.com
    Date: Thu, 8 May 2003 01:31:27 +0530
    

    On 06/05/03 09:54 +0500, Zahid Ahmad Khan wrote:
    > Hi,
    >  
    > A research organization has asked me to look at an interesting
    > situation. They are paranoid about pilferage of research work and want
    > to monitor and log all email traffic (Vectors and contents of POP, SMTP
    > & IMAP). They require the following:
    >  
    > 1) Log all in and out bound emails (All employees have been duly
    > informed of the fact).
    > 2) Generate email vector logs.
    > 3) Flag and stop any email with unauthorized contents.
    > 4) Only interested in traffic on the WAN and Internet interface (E-1,
    > E-3, OC-3, POS)
    > 5) Do not want to log or see any internal traffic which might be contain
    > sensitive R&D info.
    >  
    > I was thinking of putting together a system using pcap for capturing
    > traffic and using/developing an analysis reporting engine. Due to the
    Too complex. Work on the protocol level here.
    Most mail servers will let you make an automatic bcc transparently.
    (always_bcc = add@ress with Postfix).

    Your mail may be in any format, text, HTML, base64 encoded, obfuscated
    HTML, uuencoded, pgp|gpg|s/mime encrypted.
    Your parser will have to deal with this. Except for the encrypted part,
    I would suggest using amavis/amavisd-new to handle this. The MIME
    handling in amavisd is good. This only leaves you to modify it to
    identify banned words, and quarantine/redirect those messages.

    The only modification I can think of is a modification of the banned
    filename routine to see the banned words/phrases in body of the email
    itself. You might wish to modify the SpamAssassin plugin keywords to
    suit the requirements of this client so that a simple word match that
    may occur in normal usage should not be quarantined, but a sufficiently
    high number of matches triggers a quarantine.

    I hope this helps a bit.

    Devdas Bhagat
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Sutantyo, Danny: "RE: [fw-wiz] Re: PIX FW Failover & Hello Packet"