[Techtalk] stopping outgoing virus mail

[Jessica Smith]

Hi Carla,

At 18/03/03 07:14 AM, you wrote:

>I'm trying to figure out a way to block outgoing email generated by a virus.
>The idea is to stop it before it gets out into the world, and log the
>activity for when the admin arrives to work refreshed and alert after an
>unbroken night's sleep.
>
>I don't even know if it's possible, anyone have any brilliant ideas? The 
>usual
>virus-scanners check both incoming and outgoing mail, I'm looking for a way
>to do it with iptables rules or procmail something similar. Don't even let it
>past the firewall. Seems like there ought to be something to base a generic
>ruleset on.

On a Win platform, the ZoneAlarm personal firewall does this by letting you 
choose which applications have permission to establish outbound TCP/IP 
connections, both locally, and to the outside world. Anything that doesn't 
have permissions explicitly set pops up a prompt asking for a user decision 
- until you've made the decision that application is blocked from making 
connections.

Something similar may be available for a *NIX platform but I haven't 
personally seen it.

I guess it depends somewhat on whether you're talking about a *NIX virus on 
your host (is there such a beast?) or virii sent in from an authenticated 
(Win) user through SMTP, or a virus on a Win client that does it's own 
sending and its traffic just passes through your host. The last two perhaps 
wouldn't work with the ZoneAlarm model, and the first may not either 
without being able to do more than control with a firewall (perhaps 
restricting access to sockets or similar).


Jess