james-server-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason Webb" ...@inovem.com>
Subject RE: Email Forensics for JAMES
Date Tue, 25 Oct 2005 08:34:14 GMT
Logging is the key to this (duh).
James is currently quite poor at logging at the mailet & matcher level
because of the patchy implementation. A matcher and mailet should always log
the fact that they have "seen" a message (i.e. matched or processed it). At
the moment lots of them don't.

The commercial MLM I wrote had lots of logging in it so we could trace the
following:
Did the MLM receive the message?
What rules did the message cause to fire?
Who was the message then sent to?
Did they receive it or did it bounce?
How long did this take?

We provide a web based app written in ColdFusion that allows an admin to
trace any message using a simple point an click interface.

I don't know about Sendmail in depth but Qmail has very good logging and
lots of utilities to help you calculate throughput (qmailanalog) so QMail
might be a good place to start.
In the case of Qmail we used Dan Bernstein's tcpd which allowed us to detect
stale connections and DDOS attacks and close down the connections quickly.
We then looked for patterns of IP addresses in these attacks and then I
called the ISP and abused them :) If they were in country where that was
useless then we just blocked the range of the offending ISP. We also looked
at the SMTP logs so we could work out if people were just trying to clog the
system up with bad emails (not a valid group or badly addressed)

I've not done much with POP3/IMAP logging other to look for connection
problems of individual users. I assume some of the more complex intrusion
detection systems might monitor the port/log files looking for attack
patterns.

Hope this helps,

-- Jason

> -----Original Message-----
> From: Anagha Mudigonda [mailto:anaghamudigonda@gmail.com]
> Sent: 25 October 2005 04:12
> To: James Developers List
> Subject: Email Forensics for JAMES
> 
> Hi Guys,
> 
> After classes started, I was not able to contribute much towards the
> protocol handler (JAMES fastfail). I will start working on some of the
> filters Stefano suggested pretty soon.
> 
> I am doing my MS project on *email forensics* using JAMES. Basically this
> would involve collecting forensic data from the SMTP session, from the
> POP/IMAP client, from the DNS Server(if needed) saving it and infering
> something useful at a later time.
>  To start, I will begin by collecting the SMTP session data, like the
> MAIL,
> RCPT commands with corresponding parameters and so on.
> 
> The data collected could be used for Anomoly detection / intrusion
> detection
> or just for compliance.
> 
> I was wondering if I could get some inputs from this forum regarding this.
> 
> Since a lot of people have a lot of experience with e-mail I would be glad
> to get some suggestions or thoughts regarding this.
>  Best Regards
> Anagha.


---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org


Mime
View raw message