Filtering Queued E-mail

The technical strategy of our countermeasure against mail bombing was simply to queue incoming mail messages, filter the mail based on developed rule-sets, and forward the clean mail. The filtering rule-sets triggered on information in the header control files of the mail messages. The message content was not used in the filtering process. All filtered mail was processed via one of two paths. Mail was either sent to ``jail,'' qjail, and not delivered, or copied into qcopy for further analysis (Figure seven). Denying direct feedback to hackers was the cornerstone strategy.

During the initial filter prototyping phase, we copied and delivered all mail with the keyword 'whitehouse' in the header fields because it was theoretically possible that valid mail could come from ``whitehouse.gov.'' This was the prototype of a filter refinement queue which would become qcopy. This queue would be used to fine-tune additional rule-sets. All captured mail that was taken prisoner was stored in the jail queue, qjail.

 

Figure 7: Process Flow Diagram for SMTP Filter

Figure seven illustrates the flow of events for the filtering process. The SMTP server is started with the -odq switch [4], instructing sendmail to receive and queue incoming mail, mqueue, only. The filter program is executed by crond(8). The program processes the sendmail mqueue by first copying all messages in the queue to another directory. It is in this directory that the files will be processed. Incoming mail continues to arrive in mqueue and the filter program processes the staging queue, qprocess. There are timers and a state machine to avoid moving e-mail which has not been completely received and queued by the MTA.

The filter rule-sets first look in the header files (the qf files) for spoofed addresses without the character. These files are moved out of the qprocess into qjail and are not delivered. In addition, a subset of sender addresses with characters are copied to qcopy and left in the staging queue, qprocess. The remaining messages in qprocess are moved to another queue, qclean, and sendmail delivers the mail by executing with the -q switch, instructing sendmail to process the mail queue; and the -Q switch, specifying which queue to process.