Originally Published: Tuesday, 5 June 2001 Author: Kristina Pfaff-Harris
Published to: enhance_articles_sysadmin/Sysadmin Page: 1/2 - [Printable]

Software Review: Inflex 1.0.6: Sanitized for Your Protection

Kristina Pfaff-Harris reviews the latest version of Inflex for Linux.com, a mail sanitizer released under the GPL and a crucial part of any sysadmin's arsenal against spam and other malicious email.

Introduction   Page 1 of 2  >>

Inflex 1.0.6 is an email sanitizer meant to work with the Sendmail MTA (mail transport agent) and licensed under the GPL. As messages come through the server, Inflex opens them, examines them for potentially dangerous or suspicious attachments or text, and blocks the emails from being sent or received. Inflex sends a notification of the blocked message to both the sender and the recipient, and saves the suspect file so that in case of a mistake, the administrator can restore the message. This can help not only to prevent the spread of viruses, but also to allow blocking of "nuisance" emails such as those with large MP3 or AVI file attachments, or spam with known subject headers. The administrator of the server can give Inflex any number of tests to perform on messages in order to check for arbitrary text strings ("BULK MAIL MARKETING WORKS"), filenames ("happy99.exe", "BigMovie.mov") or file types.

What I liked the most about Inflex is that its core functionality comes in a shell script that makes use of common Linux/Unix commands such as "grep," "cut," "file" and so forth. This makes it incredibly easy for the administrator to change the messages generated by Inflex, add file types or names to scan for, or otherwise modify the functionality. No source code hacking and recompiling is necessary: Inflex plugs and plays nicely with Sendmail, and a quick edit to the Inflex shell script can immediately start blocking unwanted messages.

By default, Inflex will block DOS/Windows executables, PC bitmaps, AVI, MPEG, and WAVE file types, files with extensions of ".mp3" or ".vbs", files with a name similar to "LOVE-LETTER-FOR-YOU*", and messages with text containing "> > > >", which often indicates massively forwarded chain letters and email hoaxes such as the AOL Email Tracking scheme.

In the Inflex script itself, the administrator can add or remove tests for new file types, filenames, or email text by adding a line in the appropriate section, or commenting out a line. For example, to add a new file type, the administrator would simply add a line similar to this:

${cut} -d: -f2 $fileresults | ${grep} "NewFileType" >> ${typebadfileslog}

to the other lines of this type in the "scanforfiletype" section of the script. "NewFileType" should be the file type in a format output by the "file" command, or from the local system's "magic" file (usually /usr/share/magic or /etc/magic).

To block new files by name, the administrator can add a line similar to this:

${find} ${unpackdir} $find_flags '*.mp3' >> ${namebadfileslog}

in the "scanforfilename" section. In this way, you can block by the actual filename or extension of an attachment. (Note to administrators: recently most "email viruses" are carried in .vbs attachments. Unless your users have reason to be sending vbs files, blocking these will likely block a large percentage of email virus traffic from your server. In addition, .shs (Windows Scrap Files) and .reg (Windows registry files) should probably also be blocked, again, unless your users have good reason to send or receive them.)

Finally, to add text strings to scan for throughout the email, the administrator can add a line similar to this:

grep $grep_flags "Kill the boss" ${tmpdir}/* >> ${textbadfileslog}

to the "scanfortext" section of the script.

In addition to this, Inflex will also allow you to make use of an actual anti-virus engine to scan messages for viruses if you have an anti-virus scanner on your system. Currently supported anti-virus scanners are Inoculateit, NOD32 AntiVirus, McAfee /NAI -UVScan, SOPHOS, and FPROT. Since Inflex is a shell script, you may easily add your own virus scanner in the "scanforvirus" section. Some of these virus engines, however, are notoriously greedy with system resources. If you use the actual virus engines on your system, be prepared for the possibility of a large load increase. Again, since possibly the most email viruses are carried in .vbs files, simply blocking extensions like this may be as good as a virus scanning depending on your situation.

I installed Inflex on a RedHat 7 system running Sendmail 8.11.0 by simply unpacking the archive and running "make". For ease of installation, this is quite an improvement over previous versions. Running "make" will walk you through a series of configuration questions, set up and install the software, and restart sendmail to use the inflex.cf in lieu of the sendmail.cf file you are currently using on your system like this:

/usr/sbin/sendmail -bd -q15m -C /usr/local/inflex/inflex.cf

One advantage to this is that if you run into problems with Inflex, you can quickly go back to your old sendmail configuration by killing sendmail and restarting it like this: & /usr/sbin/sendmail -bd -q15m

There are really only minor differences between your old sendmail.cf file and the inflex.cf file. If you run: diff /etc/sendmail.cf /usr/local/inflex/inflex.cf

you'll see that only a few lines are changed in order to use Inflex. In particular, a mailer configuration is added:

Minflex, P=/usr/local/inflex/inflex, F=ClsDFM:/|@qShPm,
         S=0, R=0, T=DNS/RFC822/X-Unix,
         A=inflex $h $u $f

along with a tiny ruleset ( R$* $#inflex $:$1 ) and a change to the QueueDirectory and StatusFile settings.

A few caveats: Should you decide to modify the messages that Inflex sends when blocking an email, make certain not to include text that you have configured Inflex to block, as this will lead to mail loops. In addition, if you have local users using mail clients such as Pine, they may be able to send mail that bypasses Inflex's Sendmail modifications. This can be fixed by having the users configure the SMTP server as "localhost" explicitly in the mail program's configuration.

All in all, I believe Inflex to be an extremely configurable yet lightweight and easy-to-use tool for blocking many kinds of dangerous and objectionable email messages from passing through your mail server. One thing that I would like to see in a future release is an option to somehow encapsulate "bad" attachments with a warning message, but send them to the recipient rather than blocking them altogether. Although Inflex is easy to set up, and seems to integrate extremely well into an existing Sendmail system, however, I do recommended that you not install it on your production mail server without testing first, as it's possible that you (or your users) may have mail blocked which should not be.





Introduction   Page 1 of 2  >>