[Techtalk] stopping outgoing virus mail
Conor Daly
conor.daly at oceanfree.net
Tue Mar 18 16:36:32 EST 2003
On Tue, Mar 18, 2003 at 08:39:43AM -0500 or so it is rumoured hereabouts,
Brenda Bell thought:
> Quoting Carla Schroder <carla at bratgrrl.com>:
>
> > OK, I wasn't clear- this is in addition to using antivirus
> > software, I can't
> > imagine any admin being foolish enough to think they can skate by
> > without it!
> > What I'm trying to figure out if there is a way to identify
> > virus-sent
> > emails. Let's say it's a brand-new virus and the AV software misses
> > it,
> > having a nice egress filter to catch the little buggers would be a
> > lovely
> > thing.
>
> I'm not a virus expert but you may be able to do firewall rules to
> block outbound email generated by viruses that have their own SMTP
> engine (Ganda). If you have a mail server running inside your
> firewall, then all outbound traffic with a destination of port 25
> should originate at the mail server -- never from a client IP address.
> However, this breaks down if clients have other legitimate software
> with built-in SMTP capabilities (IIS or PWS, heaven forbid :)
You _should_ be able to manage this using the "transparent proxy" method:
o Configure the firewall to do port forwarding.
o At the firewall, forward _any_ outgoing to port 25 to SMTP server port 25.
o Configure tho SMTP server to send outgoing mails on port 50025.
o At the firewall, forward outgoing from SMTP server to port 50025 to
internet on port 25.
That allows you to do your outgoing virus filtering/detection stuff on the
SMTP server _even_ for those viruses that have their own SMTP clients. It
should handle the case of IIS also.
Conor
--
Conor Daly <conor.daly at oceanfree.net>
Domestic Sysadmin :-)
---------------------
Faenor.cod.ie
3:29pm up 10 days, 16:44, 0 users, load average: 0.00, 0.00, 0.00
Hobbiton.cod.ie
3:29pm up 11 days, 14:59, 2 users, load average: 0.01, 0.02, 0.00
More information about the Techtalk
mailing list