Implement Spam Mail Filtration inside Linux kernel

1. Implement Spam Mail Filtration inside Linux kernel Jeff Rupp and Frank Watson Jeff Rupp & Frank Watson

2. Introduction Our original goals: • To figure out how User Mode Linux works • To modify the kernel to filter out spam mail and send the appropriate packets to both the receiver and server. • Then to make further modifications to send information packets to the sender to see if the user and sender existed (which is common for spammer) • Modified proposal: getting the User Mode Linux (UML) to work and modify the Linux source to change the user name to all x’s if the sender is on a spam list. Sends mail sender receiver Checks to see if sender exists Jeff Rupp & Frank Watson

3. What is User Mode Linux? • User-Mode Linux is a virtual machine that runs entirely inside a single file on the physical machine. It has internet,and xwindow support and allows users to install and test applications on this virtual machine • Two main advantages of using UML are: • If the kernel crashes because of test applications or kernel modifications, the machine does not go with it. • Has a very handy debugger that allows you to debug the actual linux kernel. • A good three-fifths of our time was spent on this project trying to get UML to work. This was not a trivial process. Jeff Rupp & Frank Watson

4. How to install UML • Download 3 main files Kernel source code, UML kernel patch, and Root file system • Installation Unpack the kernel, Apply the UML patch, and Build the "linux“ executable from the linux source • Running UMLexecute uml with the following command line:“ linux mem=128M udb=root_fs_slackware_7.0_big udb2=swap debug=go eth0=ethertap,tap0,fd:fe:0:0:0:1,<IP address # 1> • Setting up the internet connectionUse the following commands: • Ifconfig eth0 <IP address 2> • Route del –net 128.198.0.0 dev eth0 netmask 255.255.0.0 • Route add –host <IP of host machine> dev eth0 • Route add default gw <IP of host machine> Jeff Rupp & Frank Watson

5. How UML works • UML is composed of two major pieces. A root_fs (a root file system) and a linux executable. • The linux executable is the linux kernel. The kernel information on the root_fs is not used for booting, so it is possible to boot a root_fs (made with Redhat 7.1 and a 2.4.3 kernel) with a UML linux exectuable which boots the kernel into 2.4.7. • The internet access is achieved by using a driver called ethertap. Ethertap is an older driver and intercepts packets at the ethernet card and sends them up to the UML code Jeff Rupp & Frank Watson

6. Source Code Modifications • Checks to see if the packet is for port 25 by checking sk->num • We look for two things in the pay load, text stating “MAIL FROM:” (case insensitive) sets the flag wasMailfrom and “RCPT TO:” sets the flag wasRcpt using if statements. IP TCP (port #) sk->num IP TCP (port #) Payload sk->num sk->data Jeff Rupp & Frank Watson

7. Source Code Modifications (cont.) • If either flag is set, a pointer searches the payload to find the start of the name. • If the MAILfrom flag is set, it searches to see if it is on the spam sender’s list. If so, the code waits for the RCPT TO: in the packet and replaces the RCPT TO: with x’s. For example: root@walden.uccs.edu would become xxxx@walden.uccs.eduwhich does not exist IP TCP (port #) Payload sk-num Searches for the email user name sk->data Jeff Rupp & Frank Watson

8. Results • Have a working prototype which catches a spammer and changes the “RCPT TO:” field in the SMTP protocol to an unknown address. • Below is a sample of an email returned to the user: ----- The following addresses had permanent fatal errors -----<root@feline.uccs.edu> (reason: 550 <xxxx@feline.uccs.edu>... User unknown) • Known bug: the sender’s mail server keeps a cache of the email addresses and on occasion does not send a “RCPT TO:” in the payload to see if the user exists. In these situations, the mail does go through and is not modified or blocked. Jeff Rupp & Frank Watson

9. Conclusion/Future work • Because of time constrains, we only touched the surface of what can be done with routing and manipulating packets at the TCP level. This project is just a simple demonstration of the power and changeability of the linux kernel to suite to a specific need and purpose. • In the future, a packet can be sent back and fully responds to the SMTP command of the receiver and sender. • The spam list can be inserted through a module oppose to hard coded into the kernel (as for this project). • This project can be integrated into UCCS’ Linux Content Switch and be used as a front end switch, filtering unwanted spam mails before the mails even hit the back end servers. Jeff Rupp & Frank Watson

10. References • http://user-mode-linux.sourceforge.org The user mode linux webpage • http://www.linux-mag.com/2001-04/user_mode_01.html An extremely helpful article about setting up UML with a step by step example • http://www.linuxfromscratch.org A comprehensive webpage about setting up a linux kernel from scratch. This webpage helped with setting up the networking files. • http://kernelnewbies.org/documents/ipnetworking/linuxipnetworking.html An extremely valuable document about the linux IP networking layer • http://www.faqs.org/rfcs/rfc821.html The RFC 821 for the SMTP protocol Jeff Rupp & Frank Watson