On Oct 23, 2006, at 11:02 AM, Gerard Seibert wrote:
It doesn't stop all potential problems with outbound email from your
domain, but together with adding SPF records and using a firewall to
block outbound port 25 except from your legitimate mail relay, you
can do a lot to keep your domain from contributing to the problem.
If you have on access scanning working properly that will also greatly
lessen any such problem.
Assuming the local AV-software is sufficiently up-to-date that the
malware is detected, sure. For new 0-day infections, machines which
get owned tend to have their anti-virus software disabled, or have
the resolver compromised such that fetching new updates to the AV
software goes to localhost and fails, instead.
You stated that you were aware of users
downloading infected material to their work stations. Where the
hell is
the AV that is suppose to be protecting those work stations. Seems
to me
it might be time to have a long discussion with your SA (I hope it
isn't
you) about installing and using reliable AV products on your work
stations.
No, I'm the sysadmin these clients hire from time to time to clean up
their networks because they don't have or have chosen not to hire a
competent full-time sysadmin staff.
At nearly half of the "normal" businesses I am familiar with (by this
I mean, a business which does not do computer-related things like
write software or sell computer hardware), not only do the employees
there not care whether their machines are getting infected, even the
local "sysadmin"-equivalent who is nominally responsible for the
machines doesn't seem to care whether there are infected machines on
the local network.
Isn't the vast majority of viruses and spam sent via zombies on
unfirewalled (outbound) home networks?
Interesting question. I've gotten about 12000 spammy messages over
the past week on one mailserver; about 1000 got through greylisting,
consisting of about 5 actual viruses, ~60-odd phishing scams, and
about 900 non-malware spams.
Of the senders out of the original 12K, somewhere around half (5100)
do not have reverse DNS configured; otherwise, here are sorted lists
of the data where we'd gotten at least ten spammy messages from that
source:
http://www.codefab.com/AV/malware_histogram.txt
http://www.codefab.com/AV/spammers_by_ip.txt
http://www.codefab.com/AV/spammers_by_hostname.txt
Postfix offers ways to check and prevent that from happening.
Care to be more explicit?
(I can't block senders just because they don't have reverse DNS
configured, or because forward and reverse DNS does not match.)
Even if a zombie was inside a corporate
network, how likely is it to use the SMTP relay that happens to be
configured in some mail client on the compromised machine?
Using the configured SMTP relay seems to be the most common case; but
it's also common for the infected host to send mail out directly. As
you've suggested, egress filtering is a good idea:
The work station should be firewalled off from all but the company
mail
server. If it is not, then do it.
For the networks I am in charge of, I normally set up egress
filtering on the firewall; but I spend at least some time working on
networks which are not administered to reasonable standards.
--
-Chuck
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html