August 27, 2007

Two open source email virus scanners for Linux

Author: Joseph Quigley

If Linux is hardly affected by viruses, why do system administrators use anti-virus software on their Linux email servers? Because an anti-virus scanner on a mail server can serve as another level of defense for Microsoft Windows desktop users. Linux provides several server-based anti-virus applications, most of which can be configured to interact with a variety of messaging servers. Many use the actively developed ClamAV open source virus toolkit on the back end; others work with proprietary or commercial scanners. In this article we'll compare MailScanner and Anomy Sanitizer on a Sendmail messaging server.

Before you install an anti-virus scanner on your server, you should install ClamAV. You can get it up and running from scratch in about 10 minutes. Most Linux distributions' clamd.conf files are already configured to scan mail. Also, quite conveniently, most distros' ClamAV configurations are set to check for virus signature updates several times a day. ClamAV even has several SMTP scanners for sysadmins who want to make sure their users aren't sending anything infected.

Once you have the anti-virus toolkit in place, you can configure your message filtering program. MailScanner is one of the most popular email filters. It protects users against both viruses and spam. It hooks into other programs to perform its duties. Recent versions also have anti-phishing measures included to prevent users from clicking on obfuscated URLs.

Installing MailScanner on most Linux systems is simple. Most Linux distros have it in their package repositories, and there are no special tricks required to get the Perl program to install from source.

After installing MailScanner, you must customize it for your personal needs. Edit the verbose and well documented /etc/MailScanner/MailScanner.conf file. MailScanner's "hostname" appears in messages to users if a virus is detected; change it to the name of the host on which the program is running in the %org-name% variable. Change the "Incoming Work Group" variable to "clamav" so that you don't have to change ClamAV's permissions (since they're already configured to use the clamav user group). Next, make sure that "File Command" points to /usr/bin/file and isn't commented out. MailScanner needs to use the file command to determine what types of files to block or allow through. For instance, you may choose to block .exe files but allowing .dmg files, depending on your needs. If you want to notify the sender that they have sent a virus, change "Notify Senders Of Viruses" from "no" to "yes." (I suggest you leave it at "no"; the culprit behind most spam is not the person whose name is in the sender field.) While you're at it, you can also change the notification message's subject.

MailScanner can be set to either allow or reject files, based on their extensions and/or file types in /etc/MailScanner/filetype.rules.conf. It can also allow files to pass through or reject them based on their names (useful for blocking certain viruses or worms that always have the same attachment name). It has some fairly strict rules as to syntax. It requires fields to be separated by tabs, but it does allow regular expressions.

Although I was unable to find a graphical configuration tool, the well-documented config file and the documentation on MailScanner's Web site provide more than enough resources to tweak the scanner to your needs.

MailScanner's wiki reports that a 3GHz Dual Xeon server with 2GB of RAM can process up to 1.4 million messages per day -- plenty for most organizations. The wiki has many more examples of how the software performs, especially on slower hardware. Other than a GUI configuration tool, there is little that could be improved in MailScanner.

Anomy Sanitizer

Then there's Anomy Sanitizer, a small mail scanner that does not waste system resources (such as the CPU and RAM) because it treats its input as a stream, without using the hard drive at all (if it's configured well). Although MailScanner also treats its input as a stream, it requires a fast hard drive to perform well under a heavy load.

Anomy Sanitizer installation from source is straightforward. Sanitizer on Ubuntu did not seem to come with an INIT script, and I could not find one for either Gentoo or openSUSE. Because of the lack of an INIT script on various Linux distros, many sysadmins running those distros will need to create their own. The documentation on the Sanitizer Web site suggests the use of the procmail mail processing suite as an "intermediate layer between sendmail and the sanitizer." After configuring procmail, using Sanitizer is far easier and safer than "hard-wiring" sendmail to use Sanitizer directly.

Finding documentation on Sanitizer's config file was not easy; I spent considerable time figuring out how to set up a useful filter with only a few examples.

The first step to getting Sanitizer to scan mail is to configure Sanitizer itself. A minimal configuration can be found on Sanitizer's Web site. After configuring Sanitizer, be sure to include the config file's path as a command-line argument when running it. I placed mine in /etc/sanitizer.conf and ran sanitizer /etc/sanitizer.conf.

Unlike MailScanner, which is slightly bound by hard drive speed, Sanitizer's performance increases with CPU speed. There is one downside to the way Sanitizer works though. Due to the overhead of starting Perl and compiling the parser, very small messages -- around 2KB or less -- will slow down the server. Large messages cause a large amount of memory consumption when Sanitizer is invoked by procmail. Sanitizer's Web site implies that turning Sanitizer into a daemon will avoid the startup and compilation times of Perl completely. At approximately 0.10 seconds per message, a 500MHz Pentium III server can process about 864,000 mesages per day.

Conclusions

MailScanner is far easier to get running on a mail server than Sanitizer. Most of the configuration files are already preconfigured to work upon installation and they are well-documented either with man pages or by comments in the config files. On the other hand, Sanitizer is great for older and slower systems that lack fast hard drives.

There are numerous mail filters and scanners, such as Qmail-scanner and Inflex, but MailScanner is one of the simplest, and Sanitizer one of the smallest. By combining MailScanner and ClamAV on a fast modern server, a sysadmin can protect Windows users from viruses arriving by email.

Categories:

  • Security
  • Enterprise Applications
Click Here!