On Monday October 23, 2006 at 01:20:54 (PM) Chuck Swiger wrote: > On Oct 22, 2006, at 10:50 PM, Tom Metro wrote: > [ ...heated debate aside :-), these questions are interesting... ] > > Is there really much practical value to outbound scanning? > > Yes. I've seen employees download viral mail from some other service > (AOL, fastmail.fm, gmail, whatever) to their corporate desktop, get > infected, and have their machine start spewing malicious email out. > > If you have outbound scanning, you have some hope of containing the > problem or at least not sending malicious mail onwards to your clients. > > It doesn't stop all potential problems with outbound email from your > domain, but together with adding SPF records and using a firewall to > block outbound port 25 except from your legitimate mail relay, you > can do a lot to keep your domain from contributing to the problem.
If you have on access scanning working properly that will also greatly lessen any such problem. You stated that you were aware of users downloading infected material to their work stations. Where the hell is the AV that is suppose to be protecting those work stations. Seems to me it might be time to have a long discussion with your SA (I hope it isn't you) about installing and using reliable AV products on your work stations. On access scanning would be the minimum requirement here. > > Isn't the vast majority of viruses and spam sent via zombies on > > unfirewalled > > (outbound) home networks? > > Interesting question. I've gotten about 12000 spammy messages over > the past week on one mailserver; about 1000 got through greylisting, > consisting of about 5 actual viruses, ~60-odd phishing scams, and > about 900 non-malware spams. > > Of the senders out of the original 12K, somewhere around half (5100) > do not have reverse DNS configured; otherwise, here are sorted lists > of the data where we'd gotten at least ten spammy messages from that > source: > http://www.codefab.com/AV/malware_histogram.txt > http://www.codefab.com/AV/spammers_by_ip.txt > http://www.codefab.com/AV/spammers_by_hostname.txt Postfix offers ways to check and prevent that from happening. > > Even if a zombie was inside a corporate > > network, how likely is it to use the SMTP relay that happens to be > > configured in some mail client on the compromised machine? > > Using the configured SMTP relay seems to be the most common case; but > it's also common for the infected host to send mail out directly. As > you've suggested, egress filtering is a good idea: The work station should be firewalled off from all but the company mail server. If it is not, then do it. > > I'd think you'd get far greater benefit by practicing some form of > > egress filtering at the firewall, like rejecting all outbound > > connections with a port 25 destination except from the mail relay (or > > proxy) inside the firewall. > > > For any small shop that keeps a close eye on their machines and > > network > > traffic, I'd think the overhead of scanning every outbound message > > would > > be a waste. I concur. > It's not very expensive in terms of CPU resources to scan normal > messages, usually. The key is normal and usually. -- Gerard _______________________________________________ http://lurker.clamav.net/list/clamav-users.html
