[Techtalk] stopping outgoing virus mail
Jessica Smith
crystalsinger at mail.com
Tue Mar 18 10:34:37 EST 2003
Hi Carla,
At 18/03/03 07:14 AM, you wrote:
>I'm trying to figure out a way to block outgoing email generated by a virus.
>The idea is to stop it before it gets out into the world, and log the
>activity for when the admin arrives to work refreshed and alert after an
>unbroken night's sleep.
>
>I don't even know if it's possible, anyone have any brilliant ideas? The
>usual
>virus-scanners check both incoming and outgoing mail, I'm looking for a way
>to do it with iptables rules or procmail something similar. Don't even let it
>past the firewall. Seems like there ought to be something to base a generic
>ruleset on.
On a Win platform, the ZoneAlarm personal firewall does this by letting you
choose which applications have permission to establish outbound TCP/IP
connections, both locally, and to the outside world. Anything that doesn't
have permissions explicitly set pops up a prompt asking for a user decision
- until you've made the decision that application is blocked from making
connections.
Something similar may be available for a *NIX platform but I haven't
personally seen it.
I guess it depends somewhat on whether you're talking about a *NIX virus on
your host (is there such a beast?) or virii sent in from an authenticated
(Win) user through SMTP, or a virus on a Win client that does it's own
sending and its traffic just passes through your host. The last two perhaps
wouldn't work with the ZoneAlarm model, and the first may not either
without being able to do more than control with a firewall (perhaps
restricting access to sockets or similar).
Jess
More information about the Techtalk
mailing list