Implement Spam Mail
Filtration inside Linux kernel
Jeff Rupp and Frank Watson
Spam Mail Filter
Jeff Rupp & Frank Watson
1
Introduction
Our original goals:
1.
To figure out how User Mode Linux works
2.
To modify the kernel to filter out spam mail and send the
appropriate packets to both the receiver and server.
3.
Then to make further modifications to send information
packets to the sender to see if the user and sender existed
(which is common for spammer)
Sends mail
sender
receiver
Checks to see if sender exists
•
Modified proposal: getting the User Mode Linux (UML) to
work and modify the Linux source to change the user name to
all x’s if the sender is on a spam list.
Spam Mail Filter
Jeff Rupp & Frank Watson
2
What is User Mode Linux?
•
•
User-Mode Linux is a virtual machine that runs
entirely inside a single file on the physical machine. It
has internet,and xwindow support and allows users to
install and test applications on this virtual machine
Two main advantages of using UML are:
1.
2.
•
If the kernel crashes because of test applications or kernel
modifications, the machine does not go with it.
Has a very handy debugger that allows you to debug the
actual linux kernel.
A good three-fifths of our time was spent on this
project trying to get UML to work. This was not a
trivial process.
Spam Mail Filter
Jeff Rupp & Frank Watson
3
How to install UML
1.Download 3 main files
Kernel source code, UML kernel patch, and Root file system
2.Installation
Unpack the kernel, Apply the UML patch, and Build the "linux“
executable from the linux source
3.Running UML
execute uml with the following command line:
“ linux mem=128M udb=root_fs_slackware_7.0_big udb2=swap
debug=go eth0=ethertap,tap0,fd:fe:0:0:0:1,<IP address # 1>
4.Setting up the internet connection
Use the following commands:
•Ifconfig eth0 <IP address 2>
•Route del –net 128.198.0.0 dev eth0 netmask 255.255.0.0
•Route add –host <IP of host machine> dev eth0
•Route add default gw <IP of host machine>
Spam Mail Filter
Jeff Rupp & Frank Watson
4
How UML works
• UML is composed of two major pieces. A root_fs (a
root file system) and a linux executable.
• The linux executable is the linux kernel. The kernel
information on the root_fs is not used for booting, so
it is possible to boot a root_fs (made with Redhat 7.1
and a 2.4.3 kernel) with a UML linux exectuable
which boots the kernel into 2.4.7.
• The internet access is achieved by using a driver
called ethertap. Ethertap is an older driver and
intercepts packets at the ethernet card and sends
them up to the UML code
Spam Mail Filter
Jeff Rupp & Frank Watson
5
Source Code Modifications
• Checks to see if the packet is for port 25 by checking sk->num
IP
TCP (port #)
sk->num
• We look for two things in the pay load, text stating “MAIL
FROM:” (case insensitive) sets the flag wasMailfrom and “RCPT
TO:” sets the flag wasRcpt using if statements.
IP
TCP (port #) Payload
sk->num
sk->data
Spam Mail Filter
Jeff Rupp & Frank Watson
6
Source Code Modifications
(cont.)
• If either flag is set, a pointer searches the payload to find the
start of the name.
IP
TCP (port #) Payload
sk-num
sk->data
Searches for the email user name
• If the MAILfrom flag is set, it searches to see if it is on the spam
sender’s list. If so, the code waits for the RCPT TO: in the
packet and replaces the RCPT TO: with x’s. For example:
root@walden.uccs.edu
would become
Spam Mail Filter
xxxx@walden.uccs.edu
which
does not exist
Jeff Rupp & Frank Watson
7
Results
• Have a working prototype which catches a spammer and changes
the “RCPT TO:” field in the SMTP protocol to an unknown address.
• Below is a sample of an email returned to the user:
----- The following addresses had permanent fatal errors -----<root@feline.uccs.edu>
(reason: 550 <xxxx@feline.uccs.edu>... User unknown)
• Known bug: the sender’s mail server keeps a cache of the email
addresses and on occasion does not send a “RCPT TO:” in the
payload to see if the user exists. In these situations, the mail does
go through and is not modified or blocked.
Spam Mail Filter
Jeff Rupp & Frank Watson
8
Conclusion/Future work
• Because of time constrains, we only touched the surface of what
can be done with routing and manipulating packets at the TCP
level. This project is just a simple demonstration of the power
and changeability of the linux kernel to suite to a specific need
and purpose.
• In the future, a packet can be sent back and fully responds to
the SMTP command of the receiver and sender.
• The spam list can be inserted through a module oppose to hard
coded into the kernel (as for this project).
• This project can be integrated into UCCS’ Linux Content Switch
and be used as a front end switch, filtering unwanted spam
mails before the mails even hit the back end servers.
Spam Mail Filter
Jeff Rupp & Frank Watson
9
References
• http://user-mode-linux.sourceforge.org The user mode linux
webpage
• http://www.linux-mag.com/2001-04/user_mode_01.html An
extremely helpful article about setting up UML with a step by
step example
• http://www.linuxfromscratch.org A comprehensive webpage
about setting up a linux kernel from scratch. This webpage
helped with setting up the networking files.
• http://kernelnewbies.org/documents/ipnetworking/linuxipnetworki
ng.html An extremely valuable document about the linux IP
networking layer
• http://www.faqs.org/rfcs/rfc821.html The RFC 821 for the SMTP
protocol
Spam Mail Filter
Jeff Rupp & Frank Watson
10