Re: [fw-wiz] Traffic Monitoring
From: Devdas Bhagat (devdas_at_dvb.homelinux.org)
To: email@example.com Date: Thu, 8 May 2003 01:31:27 +0530
On 06/05/03 09:54 +0500, Zahid Ahmad Khan wrote:
> A research organization has asked me to look at an interesting
> situation. They are paranoid about pilferage of research work and want
> to monitor and log all email traffic (Vectors and contents of POP, SMTP
> & IMAP). They require the following:
> 1) Log all in and out bound emails (All employees have been duly
> informed of the fact).
> 2) Generate email vector logs.
> 3) Flag and stop any email with unauthorized contents.
> 4) Only interested in traffic on the WAN and Internet interface (E-1,
> E-3, OC-3, POS)
> 5) Do not want to log or see any internal traffic which might be contain
> sensitive R&D info.
> I was thinking of putting together a system using pcap for capturing
> traffic and using/developing an analysis reporting engine. Due to the
Too complex. Work on the protocol level here.
Most mail servers will let you make an automatic bcc transparently.
(always_bcc = add@ress with Postfix).
Your mail may be in any format, text, HTML, base64 encoded, obfuscated
HTML, uuencoded, pgp|gpg|s/mime encrypted.
Your parser will have to deal with this. Except for the encrypted part,
I would suggest using amavis/amavisd-new to handle this. The MIME
handling in amavisd is good. This only leaves you to modify it to
identify banned words, and quarantine/redirect those messages.
The only modification I can think of is a modification of the banned
filename routine to see the banned words/phrases in body of the email
itself. You might wish to modify the SpamAssassin plugin keywords to
suit the requirements of this client so that a simple word match that
may occur in normal usage should not be quarantined, but a sufficiently
high number of matches triggers a quarantine.
I hope this helps a bit.
firewall-wizards mailing list