On Feb 16, 2005, at 3:13 PM, vaida bogdan wrote:
Hy, I use postfix+mailscanner on my mail server to block a lot of virii comming from my internal network. I would like to implement a solution to block virii traffic on the internal gateway. The network looks like this:
WIN- WIN- ----GW1----- -----MAIL SERVER----- -----GW2---- WIN-
One WIN is infected but I don't know which of the 30 computers on the network. I receive virused attachments on the MAIL SERVER from the GW1's ip. WIN are on the internal network.
My first ideea would be to extract mail traffic passing through the gateway in mbox format and scan it with clamav. I'm looking for better ideeas/implementations. Also, please tell me which tool should I use to sniff mail on GW1 or if there is a better solution.
ethereal or ettercap are my favorites for packet sniffing on UNIX systems.
Sometimes you can see things by sniffing traffic and see what machine is sending a lot of ARP queries for seemingly random IP's.
I found one infected system on our network once by seeing a huge number of cached routes on our Linux Squid gateway for a client computer.
_______________________________________________ http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users
