mail scanner

Qmail-Scanner is an add-on that enables a Qmail email server to scan gatewayed email for certain characteristics (i.e. a content scanner). It is typically used for its anti-virus and anti-spam protection functions, in which case it is used in conjunction with external scanners.

Qmail-Scanner application also enables a site (at a server/site level) to create "Policy blocks": i.e. react to email that contains specific strings in particular headers, or particular attachment filenames or types (e.g. *.VBS attachments).

Its archival features helps ISPs and corporations around the world with new or pending legislation, and regulatory requirements. It can archive all processed email into an archive maildir. This is ideal for backup purposes for audit policy reasons. Unlike certain Windows-based server solutions, the mail envelope headers (the "rcpt to:" and "mail from:" headers) are kept intact - appended to the bottom of each message - confirming true sender and destination addresses.

Archiving also supports filtering to a subset of addresses (e.g. only archive "support@domain.name" emails instead of all). In addition, the extensive single-line summaries generated for each message by Qmail-Scanner may be enough for companies meet their obligations - instead of the more disk-intensive full archiving. As usual, contact a lawyer for proper definitions.

Qmail-Scanner is integrated into the mail server at a lower level than some other Unix-based virus scanners, resulting in more thorough coverage. It is capable of scanning not only locally sent/received email, but also email that crosses the server in a relay capacity. Qmail-Scanner also leverages the wealth of meta-information provided by Qmail (such as client IP address, and whether or not the client is allowed to relay).

Here are some key features of "Qmail Scanner":

· Supports almost all commercial (Unix) virus scanners as well as the ever-popular Open Source ClamAV scanner.
· Can call more than one virus scanner for each mail message
· Has its own internal scanner that can be used for Policy enforcement, or to quarantine viruses that your AV currently cannot detect
· The internal scanner can also be used to quarantine email based on attachment types, or email with certain email headers... Need to stop *.mp3 files or "Subject: ILOVEYOU" email getting onto and off your LAN - can do! :-)
· The internal scanner can trigger a "greylist" action instead of a quarantine. This is designed for emergency situations where your current AV and static Policy blocks are not appropriate. e.g. a new ZIP-based virus comes out with random filenames. Your AV cannot detect it, and you cant globally block ZIP files without hurting valid users. A "greylist" action will cause Qmail-Scanner to exit with a SMTP temporary failure instead of delivering the message. Valid emails will simply be requeued and can flow through later once your AV can detect the virus, and you decide to remove the greylist policy.
· Internal engine scans for poorly formatted messages that are known to be used by trojans/virii to infect clients. As such, this is independent of any virus scanner, and can successfully operate against future virii/trojans. Such messages are quarantined immediately. Known to block such major virii as Klez and Aliz, and as a side effect, stops a fair amount of spam too! Format checks include:
· broken MIME continuation headers
· use of comments within standard headers (e.g. "Content-T(xxxxxx)ype:" is *identical* to "Content-Type:" according to the RFCs - but some virii use this as it circumvents some anti-virus scanners). Valid use of this is never seen in the wild - so its blocked
· repeated occurrences of MIME headers makes Q-S rename the latter ones to nullify them
· MIME boundaries over 250 chars are blocked
· differing definitions of a particular attachment filename causes it to be blocked
· double-defining the same MIME boundary is blocked
· certain MIME types containing windows executable extensions are specifically blocked (e.g. an "audio/wav" of filename "wav.exe" could only be a virus)
· broken headers within a MIME attachment are blocked
· windows executable attachments that arent marked as being of MIME type "application/....." are blocked (e.g. renaming notepade.exe to notepade.gif and sending it as a GIF attachment would be quarantined, as Qmail-Scanner would realise its an executable pretending to be something else).
· attachment filenames over 256 chars are blocked
· some double-barreled filenames are blocked (e.g. file.gif.exe). It tries not to block common mistake variants
· CLSID file extensions are blocked
· Password-protected zip files can be blocked if you wish. This would stop any future viruses stuffed inside password-protected zip files from getting through, but of course would also stop any legitimate usage. Turned off by default, but perhaps useful to turn on during a new outbreak, and turned off again once an AV update occurs that can catch it.
· defaults to always running any AV you may have over messages first, then runs the internal scanner (Policy/perlscan) checks. This means if you block ".PIF" files due to them normally containing viruses, then any .PIF files that do contain a virus known to your AV system will be flagged as "viruses", and any that were missed (perhaps they were a Day-Zero virus) are then tagged as being blocked by "policy". This differentiation is then used by the alerting system. It defaults to not notifying the sender that a virus has been found, but can still notify them when it was a "policy" block.
· Quarantines emails it finds to contravene the above sub-systems. Viruses are quarantined into a maildir named "viruses/", policy-blocks into "policy/" and (potentially) high-rated SPAM into "spam/"
· Can integrate with SpamAssassin to provide comprehensive anti-spam tagging for an entire site. Typically uses also includes using Qmail-Scanner as a "front end" for Enterprise mail servers such as Notes and Exchange. Qmail-Scanner does all the dirty work - (hopefully) leaving nothing but clean mail for the backend :-)
· Auto-detects email from "postmaster"-style and mailing-list addresses - and doesnt send virus alert reports to them (i.e. attempts to act more like a responsible net citizen)
· Due to the fact that over 99.9% of all email-borne viruses are now sent using forged sender information, Q-S defaults to NOT alerting the sender that a message has been quarantined, unless it was due to a Policy/Perlscan block. This can be turned back to the "old" style by using "--notify sender" instead of the newer default of "--notify psender" (i.e. only notify sender for policy blocks)
· Knows of the virii which forge the From headers - so that the virus appears to come from some poor innocent. Qmail-Scanner will not send alerts to the sender for those types of virii. As the default is to not notify anyway, this only really takes effect if you are using the "--notify sender" option.
· Each message is tagged via a new Received: header with a virus report showing whether it is clean or not and virus scanner version numbers/etc
· [disabled by default] Messages classified as "serious SPAM" by the "--sa-quarantine" option (basically having a really high SA score) will be quarantined off into a "maildir" mail folder (./spam/). This separation into its own maildir allows sites to come up with their own methods of handling false positives. However...
· the "-z" cleanup option will delete messages in the quarantine subfolders older than 14 days - to ensure it doesnt grow too large. If you want to keep them longer, simply script something to move them out daily to another directory/maildir. There is a logrotate script in the contrib directory to automate this (for those systems that can use it - like Redhat/CentOS)
· Can optionally add a descriptive header: X-Qmail-Scanner to every email that passes through the system to allow users to see that a scanner has run over their messages.
· Messages caught by Qmail-Scanner generate an email message (currently supports English, Italian, Afrikaans, Polish, Swedish, Czech, German, Spanish, Turkish, Lithuanian, French, Portuguese, Dutch and Chinese messages) to a configurable combination of the sender, recipients and a "quarantine-admin" address explaining why their message was blocked.
· Can archive some or all processed email (that wasnt quarantined) into an archive maildir. Useful when debugging email-based apps, for backup purposes, and for audit policy reasons. Currently the mail envelope headers (the "rcpt to:" and "mail from:" headers) are appended to the bottom of each message. This option supports being called with a regular expression in which case only envelope headers that match the expression are archived (e.g. can archive "(support|sales)@domain.name" instead of all email)
· Reports via syslog or to a file, a one-line description of each processed message, giving extensive information such as subject line, attachment filenames, sizes, etc.
· Redundant scanning. Not only does it unpack each message before running the scanners over it, it can also scan the original "raw" email message as well as the unpacked components (i.e. if you think a particular scanner has better internal MIME parsing than Qmail-scanner)
· Reporting: in the contrib directory theres qs2mrtg.pl. A perl script for monitoring your syslog files for qmail-scanner records. It then graphs how Qmail-Scanner is processing your emails. It creates different graphs for incoming vs outgoing email, as well as the flow of spam and viruses.

Do you receive more and more spam every day? Use Antispam Scanner! Antispam Scanner will solve this problem, allowing you to quickly remove different trash from your mailbox before you receive your mail. The program will be helpful especially for those who receive dozens or even hundreds spam letters during a day.

The program s interface looks like traffic lights. It consists of three different colored zones.
The first zone (the red one) is for spam-messages.
The second zone (yellow) for letters, which you cannot exactly attribute to one of other two zones.
The third (green) zone is for friendly messages.

Do you receive more and more spam every day? Use Antispam Scanner! Antispam Scanner will solve this problem, allowing you to quickly remove different trash from your mailbox before you receive your mail. The program will be helpful especially for those who receive dozens or even hundreds spam letters during a day.

The programs interface looks like traffic lights. It consists of two different colored zones.
The first zone (green) zone is for friendly messages.
The second zone (red) is for spam-messages.

emailserver scanner is a software designed to directly search email addresses from mail servers. It can verify all user names that you specified on the mail server.The program tries to connect with a specail Smtp-server and simulates sending the message. It does not come to the message sending ,in fact,It disconnect as soon as mail server informs does this address exist or not.The program is multi-threaded that provides the high speed of verifying. Using this software, you can get lots of email addresses from a special email server,For example :Hotmail.com .It can also send message to valid email addresses while searching.It has Embeded in a SMTP server that quickly send mass email directly to recipients.No use your ISPS SMTP server.You can also save the valid email addresses to a one-per line text file.

emailserver scanner is a software designed to directly search email addresses from mail servers. It can verify all user names that you specified on the mail server. The program tries to connect with a specail Smtp-server and simulates sending the message. It does not come to the message sending.
It disconnect as soon as mail server informs does this address exist or not.The program is multi-threaded that provides the high speed of verifying. Using this software, you can get lots of email addresses from a special email server,For example :Hotmail.com .It can also send message to valid email addresses while searching.It has Embeded in a SMTP server that quickly send mass email directly to recipients.No use your ISPS SMTP server.You can also save the valid email addresses to a one-per line text file.

Changes in Current Version:
more quickly

A freeware port scanner, written completely in Java. NoJ/Direct no native calls anywhere.

A free, standalone scanner that detects hosts infected with eihter variant of MyDoom Virus.

MyDoom Scanner alows users to enter a range of IP addresses to scan for infected computers.

Nmap::Scanner is a Perl module to perform and manipulate nmap scans using perl.

SYNOPSIS

Perl extension for performing nmap (www.insecure.org/nmap) scans.

use Nmap::Scanner;

# Batch scan method

my $scanner = new Nmap::Scanner;
$scanner->tcp_syn_scan();
$scanner->add_scan_port(1-1024);
$scanner->add_scan_port(8080);
$scanner->guess_os();
$scanner->max_rtt_timeout(200);
$scanner->add_target(some.host.out.there.com.org);

# $results is an instance of Nmap::Scanner::Backend::Results
my $results = $scanner->scan();

# Print the results out as an well-formatted XML document
print $results->as_xml();

# Event scan method using *new* easier way to set scan options.

my $scanner = new Nmap::Scanner;
$scanner->register_scan_started_event(&scan_started);
$scanner->register_port_found_event(&port_found);
$scanner->scan(-sS -p 1-1024 -O --max-rtt-timeout 200 somehost.org.net.it);

sub scan_started {
my $self = shift;
my $host = shift;

my $hostname = $host->name();
my $addresses = join(,, map {$_->address()} $host->addresses());
my $status = $host->status();

print "$hostname ($addresses) is $statusn";
}

sub port_found {
my $self = shift;
my $host = shift;
my $port = shift;

my $name = $host->name();
my $addresses = join(,, map {$_->addr()} $host->addresses());

print "On host $name ($addresses), found ",
$port->state()," port ",
join(/,$port->protocol(),$port->portid()),"n";

}

This set of modules provides perl class wrappers for the network mapper (nmap) scanning tool (see http://www.insecure.org/nmap/). Using these modules, a developer, network administrator, or other techie can create perl routines or classes which can be used to automate and integrate nmap scans elegantly into new and existing perl scripts.

If you dont have nmap installed, you will need to download it BEFORE you can use these modules. Get it from http://www.insecure.org/nmap/. You will need nmap 3.10+ installed to use all the features of this module.

NetworkActiv Scanner is a network exploration and administration tool. This tool can scan and explore internal LANs and external WANs. This tool is intended to be used by experienced network administrators and by novices.

Here are some key features of "NetworkActiv Scanner":

· TCP connect() port scanner (standard TCP port scanner).,
· TCP SYN port scanner (auxiliary TCP port scanner).,
· UDP port scanner with automatic speed control.,
· UDP subnet port scanner.,
· Ping scanning of subnets (UDP or ICMP).,
· TCP subnet port scanner.,
· Trace-route.,
· Remote OS detection: Ability to make an educated guess about the OS (Operating System) of a remote host, this is done by TCP/IP stack fingerprinting.,
· Wizard Mode: Walks you through step-by-step to perform network scanning, trace-route, and more.,
· Whois Client: Ability to perform whois queries, user may either specify a whois server, or have the program attempt to determine a whois server automatically (works with most domains).,
· DNS Dig system: Performs DNS dig queries, user may choose between TCP and UDP, specify a DNS server or have the program attempt to determine the authoritative server automatically (works with most domains).,
· Simple Port Scanner Mode.,
· Graphical user interface, with skin support.,
· Ability to notify user if remote computer being scanned is stealth.,
· User configurable maximum speed (ranging from 2 PPS to non-limited).,
· Attempts to determine host responses for TCP connect() port scanner and subnet port scanner.,
· Common port use list, may help user determine the use of an open port.,
· Random order, reverse order, and "Only Scan Known Ports" port scanner capable.,
· Ability to save the results of the port scanner, subnet port scanner, and other lists to text files.,
· Integration between subnet port scanner, port scanner, Windows(c) clipboard, and other programs - customizable.


Whats New in This Release:

· New Wizard Mode.
· New Remote OS detection: Ability to make an educated guess about the OS (Operating System) of a remote host, this is done by TCP/IP stack fingerprinting.
· New Whois Client.
· New DNS Dig system.
· Various changes of a variable significance.


Limitations:

· 15 days trial

Ordinary online scanners will only scan for fraction of the ports. Our proprietary pcSuper Scanner is the only scanner in the world that will scan ALL 65,535 ports, TCP server and client as well as UDP. Whats more - it will doing this at an unbelievable rate in mere seconds! No other scanner gets even close. If it finds that you have opened ports on your computer - it is not a reason to panic. Ports may be opened by a legitimate program and that is OK. The opened port is only a problem if it was opened by a malicious program. In that case you will need pcInternet Patrol to sort it out.

Ordinary online scanners will only scan for fraction of the ports.

Our proprietary pcSuper Scanner is the only scanner in the world that will scan ALL 65,535 ports, TCP server and client as well as UDP.

What s more - it will doing this at an unbelievable rate in mere seconds!

No other scanner gets even close.

If it finds that you have opened ports on your computer - it is not a reason to panic.

Ports may be opened by a legitimate program and that is OK. The opened port is only a problem if it was opened by a malicious program. In that case you will need pcInternet Patrol to sort it out.

The Qmail virus scanner (QScan) is a mail filter for Qmail that scans incoming messages using the Sophos Antivirus engine, immediately rejecting infected content.

It is designed to be minimalistic, yet extremely fast and secure, and uses multiple pipes instead of the traditional temporary files and privilege separation. It works with non-native versions of the virus scanner like under OpenBSD with Linux or FreeBSD emulation.


You must create a temporary directory to extract MIME attachments, and replace Qmails original qmail-queue program with Qscan. Quick way to achieve this for the impatients :

mkdir /var/qmail/qscan
chmod 700 /var/qmail/qscan
chown qmaild:qmail /var/qmail/qscan
ln /var/qmail/bin/qmail-queue /var/qmail/bin/qmail-queue-old

Now, lets compile and install Qscan :

./configure --help

./configure [your beloved flags]

make install-strip

The last step is to replace the original qmail-queue program with our filter :

rm /var/qmail/bin/qmail-queue
ln -s /usr/local/sbin/qscan /var/qmail/bin/qmail-queue

Depending on your local configuration, it may be needed or not, but start with doing it :

chown qmaild:qmail /usr/local/sbin/qscan
chmod 6711 /usr/local/sbin/qscan

After testing, if everythings ok for you, remove the setuid bit :

chown 0:0 /usr/local/sbin/qscan
chmod 711 /usr/local/sbin/qscan