Re: [Clamav-users] outbound scanning

Mon, 23 Oct 2006 10:22:03 -0700 

On Oct 22, 2006, at 10:50 PM, Tom Metro wrote:
[ ...heated debate aside :-), these questions are interesting... ]

Is there really much practical value to outbound scanning?



Yes.  I've seen employees download viral mail from some other service  
(AOL, fastmail.fm, gmail, whatever) to their corporate desktop, get  
infected, and have their machine start spewing malicious email out.



If you have outbound scanning, you have some hope of containing the  
problem or at least not sending malicious mail onwards to your clients.



It doesn't stop all potential problems with outbound email from your  
domain, but together with adding SPF records and using a firewall to  
block outbound port 25 except from your legitimate mail relay, you  
can do a lot to keep your domain from contributing to the problem.



Isn't the vast majority of viruses and spam sent via zombies on  
unfirewalled

(outbound) home networks?



Interesting question.  I've gotten about 12000 spammy messages over  
the past week on one mailserver; about 1000 got through greylisting,  
consisting of about 5 actual viruses, ~60-odd phishing scams, and  
about 900 non-malware spams.



Of the senders out of the original 12K, somewhere around half (5100)  
do not have reverse DNS configured; otherwise, here are sorted lists  
of the data where we'd gotten at least ten spammy messages from that  
source:


http://www.codefab.com/AV/malware_histogram.txt
http://www.codefab.com/AV/spammers_by_ip.txt
http://www.codefab.com/AV/spammers_by_hostname.txt


Even if a zombie was inside a corporate
network, how likely is it to use the SMTP relay that happens to be
configured in some mail client on the compromised machine?



Using the configured SMTP relay seems to be the most common case; but  
it's also common for the infected host to send mail out directly.  As  
you've suggested, egress filtering is a good idea:



I'd think you'd get far greater benefit by practicing some form of
egress filtering at the firewall, like rejecting all outbound
connections with a port 25 destination except from the mail relay (or
proxy) inside the firewall.



For any small shop that keeps a close eye on their machines and  
network
traffic, I'd think the overhead of scanning every outbound message  
would

be a waste.



It's not very expensive in terms of CPU resources to scan normal  
messages, usually.


--
-Chuck

_______________________________________________
http://lurker.clamav.net/list/clamav-users.html






















					Reply via email to