[Techtalk] stopping outgoing virus mail
jennyw
jennyw at dangerousideas.com
Mon Mar 17 17:12:40 EST 2003
On Mon, Mar 17, 2003 at 12:14:42PM -0800, Carla Schroder wrote:
> I'm trying to figure out a way to block outgoing email generated by a virus.
> The idea is to stop it before it gets out into the world, and log the
> activity for when the admin arrives to work refreshed and alert after an
> unbroken night's sleep.
>
> I don't even know if it's possible, anyone have any brilliant ideas? The usual
> virus-scanners check both incoming and outgoing mail, I'm looking for a way
> to do it with iptables rules or procmail something similar. Don't even let it
> past the firewall. Seems like there ought to be something to base a generic
> ruleset on.
What's the mail setup? Why are virus scanners ineffective?
For now I'll assume that you have a mail server like postfix that everyone points
their clients to and that your clients are mostly Windows-based.
Unfortunately, in this situation, iptables isn't going to work because the source
isn't distinguishable from a regular mail client versus a virus client. You could
try to filter based on the text of the message, but you'd have to keep up to date
on this.
I'd suggest setting up SMTP-Auth on the mail server. That would stop viruses that
have a built-in mail client as they wouldn't be able to use the mail server. As
for viruses that attack Outlook or Outlook Express ... without AV software, that
would be kind of tough.
Jen
More information about the Techtalk
mailing list