Best OS App for Outbound SMTP Packet Capture?

Question

Okay, so this probably sounds terribly nefarious, but I need such capabilities for my senior project. Essentially I'm tasked with writing something that will cut down outbound spam on a zombified pc through a system of packet interception and evaluation. We have a number of algorithms we'll use on the captured messages, but it's the actual capture -- full on interception rather than just sniffing -- that has me a bit stumped.

The app is being designed for windows, so I can't use IP tables. I could use the winpcap libraries, but I don't want to reinvent the wheel if I don't have to. Ettercap seemed a good option, but a test run on vista using the unofficial binaries resulted in nothing but crashes.

So, any suggestions?

Update: Great suggestions. Ended up scaling back the project a bit, but still received an A. I'm thinking Adam Mintz's answer is probably best, though we used WinPcap and Wireshark for the application.

Answer 1

One would think Wireshark would solve your problem -- no hassle install and pretty easy to use.

Edit: Ah, I see now the interception requirement vs. just sniffing.. in this case Wireshark alone won't cut it. Probably whatever's the equivalent of iptables on windows would.

Answer 2

Sounds like you need to write a Winsock LSP.

Once in the stack, a Layered Service Provider can intercept and modify inbound and outbound Internet traffic. It allows processing all the TCP/IP traffic taking place between the Internet and the applications that are accessing the Internet.

Answer 3

The DSNIFF package has the mailsnarf utility. It can grab POP3 too. There are all sorts of other wonderful sniffing utilities there. Make sure you have the legal right before using these tools (the legal right to intercept other peoples traffic). I beleive the documentation has more information on the legality. According to the web page there are Windows and Mac OS X ports too.

It would not be too hard to analyze the text output of the program.

Answer 4

Ilkka: I was looking at Wireshark, but from what I could tell, that didn't handle the interception aspect -- only the sniffing and logging. The thing the professor's looking for is to prevent the spams from getting out onto the network.

Adam: I'll definitely look into Winsock. I haven't checked that out yet. Only thing is the app's due in about 2 months, so if there are any OS apps that build off the WinSock SPI, I might want to tie into those. Know of any off the top of your head?

Answer 5

Thanks, CDV. I'll look into that as well. Good call about the legality check. I've actually been trying to use gnu public license projects so far.

Answer 6

I agree that Wireshark might be all you need. If you want to write your own filter application and can use Vista, then check out the Windows Filtering Platform.

Answer 7

tcpdump if you need command line or something more visual like wireshark

If you want to write something on your own use libpcap.

Answer 8

Use Snort, stripped down, if this is a long-term thing. It's built to watch for particular packets flying by, examining payload where needed, recording data and launching alerts.

It's intended for intrusion detection, but it makes a surprisingly good network monitor for particular things over long term use.