Slashdot Mirror

No, no, no, not a safe, an anvil! And the only way to do it right, is from orbit!

Get yourself a small, inexpensive desktop computer with two NICs, install a stable Linux version, such as a LTS Ubuntu version or CentOS and configure it as a router and DNS server. Make sure that its firewall is set to block all traffic to those sites, in or out, and that DNS is set to return 127.0.0.1 as all of their IP addresses. It's a bit of work, but once it's up, it's about as safe as you can get without going to the extreme of using OADS.

And if that's not enough, there's always OADS for when you really want to be sure, but don't want to worry about fallout.

Depending on who's in control of the system, you might get your location sent to the OADS for "service."

The only problem with that is the fallout. Considering that this was probably done from an urban location, you really need something that can take it out with surgical precision and minimal side effects: OADS should be just the thing he needs.

And while you're at it, you can send the GPS coordinates of his home to OADS. It's the only way to be sure.

Actually, there's something much, much better than a drone if you really want to be sure: OADS. Let the anvils ring!

http://www.impsec.org/~jhardin/gunstuff/legal/State_v_Casad_(unpublished).pdf

Like this one? http://www.impsec.org/email-tools/procmail-security.html

The procmail based email sanitizer has been around since some time before the dinosaurs: http://www.impsec.org/email-tools/procmail-security.html It detects known and unknown viruses.

Here, use this: http://www.impsec.org/email-tools/procmail-securit y.html

There are policy based virus blockers that stop vuruses without having to be updated all the time, but that kind of solution is not good for business: http://www.impsec.org/email-tools/procmail-securit y.html

I know what you mean - signature based detection is always after the fact. However, it is possible to identify viruses using generic rules and a combination of these and signature detection creates a filter that is very strong and protects against known and future viruses. For example, see this: http://www.impsec.org/email-tools/procmail-securit y.html

I'm using E-Mail Security With Procmail for just that: proactive detection (plus sanitation). It works quite well, especialy considering its price and no need for frequent automatic updates (though they are available, sort of).

One tactic that I have used successfully for some time is to "sanitize"[0] potentialy destructive attachments on incoming emails.

This means that .exe files get renamed to whatever.exe.bin and the content type gets changed to application/binary. This way a user has to really want to run that executable, and know how. I also have it dig into zip and tnef files and do the same there.

Now that I think of it, this is sort of a poor-man's executable bit. It doesn't actually prevent execution, it just adds another step (that isn't just an "are you sure?" dialog) to the process.

-Mark

[0] http://www.impsec.org/email-tools/procmail-securit y.html

I'm still getting MyDoom.o emails. It spread like wildfire inside the company I work at....
This is rhetorical and wishful: when are we going to get some anti-virus software that protects us before an outbreak?
(please don't say don't run Windows, it is realistic but not realistic today right here)

When you say, "don't run Windows", do you mean on the mail server? Off the top of my head, I know of this procmail tweak which can do wonders to stop new virus type threats when set up wisely. I've seen it put to good use at a few places that use Windows desktops. I would imagine that if one was a bit clever, there should be a similar solution on Windows servers also.

If your local Powers That Be won't allow you to take this (IMHO sensible) precaution, you can still provide a measure of id10t-proofing by mangling the extensions of these attachments. For example, this procmail script will rename an attachment from PATCH.EXE to PATCH.DEFANGED-EXE, requiring the recipient to save the file (giving the anti-virus software a chance to check it) and rename it before executing it.

My policy (before I got laid off and ended up in a non-policy-setting job elsewhere) was to simply not deliver messages containing SCR/PIF/COM/BAT/DLL, on the grounds that these are never legitimate attachments. (For a while I delivered the message but stripped the file; after several months with no false positives, I just stopped delivering them altogether.) For EXE/DOC/ZIP attachments (which were occasionally legit) I'd mangle the filename.

I've been using it since about May 2002 and my users are barely even aware of the whole wave of email viruses. Better yet, there have only been IIRC two cases (in two years!) where attachments were incorrectly quarantined, due to legitimate use of MS word macros.

While the 2.2 kernel was pretty much a bust...

I beg to differ! I've been running a 2.2.x gateway computer for years now and it's done a heck of a job. ipmasqadm with portfw makes it a very flexable tool and there are even many other additions that allow for tunneling of some of the more tricky protocals.

There are plenty of reasons to run newer kernels, I would never discount any of the linux even series as a "bust".

Check the relay domains in the message headers.
If they don't match the 'From:' domain, don't bother with the autoresponder.

That way a from of "foo@foo.com" and a relay header of "mailserver.bar.com" is pretty likely a spoofed address.

Caveat: I've not recieved the new variant of the SoBig virus yet, so I can't tell about the headers.

The procmail scanner / html sanitiser I have installed from impsec.org does this automatically (and weeds out a lot of that obnoxious html crap as well).

I'm assuming that is 3 to 4 hundred? I have setup a Procmail filter called 'Sanitizer' which is currently catching about 100/hr. It's easy to setup on a sendmail system (even at 1am). Thanks John Hardin. Perhaphs my users will be a little more clueless next time.

What I keep wondering is how come there are no open source virus scanners?

How about this?

So far over a 3 year period the procmail setup has caught 100% of incoming viruses and trojans without delivering them to the recipient. Trend catching anything not coming thru the mail server.

If you want a replacement that works very well, needs little maintenance, is free, etc....

Why is this modded as a troll? It's the truth.

I've been running a filter on email for about 5 years. Not ONCE has any of the email transmitted viruses / worms made it through, even to unpatched outlook and OE users.

See John Hardin's procmail filter for a Very good example of how to do this.

If you are running a corporate meail server and are not filtering for known executable extensions, you are a fucking idiot. Period. There is just no excuse to EVER allow unfiltered mail through. Would you put your corporate LAN on the internet with no firewall at all? Of course not, but by not filtering email, you have a hole the size of Yankee Stadium in your protection. It's like wearing a condom with the end cut off.

The problem with anti-virus software is that it relies on the vendor to create and distribute filter definitions. It can take DAYS or WEEKS for vendors to identify a new virus, and create a definition, and for people to download the new rule set. This lag time is deadly. Antivirus software is a LAYER of security on email, but to rely on it alone is not enough.

Security is a process, and a mindset. Everyone who knows anything at all about software knows that every program has bugs. All you can do is minimize exposure, and you do that with many layers of security. These layers don't have to be intrusive, but you need them to reduce your vunerabilities.

Hey, if you want to bury your head in the sand and refuse to participate in security, that's fine with me. I charge by the hour.

Ever tried this? Does exactly that. It could help reduce the amount of viruses received better than any expensive anti virus software.

Hm, if it woldn't have been for Microsoft, McAfee and other anti virus software makers would go out of business. Viruses and insecure OSes keeps them in business, the economy goes well and everybody's happy.

Try This Procmail Script. It's pretty handy, fixes those auto-xecute mime problems, renames files so that you have to save them before opening them, and cleans up any active html/scripting. It can be setup to email back people who have sent suspicious stuff, will filter on filename if you want - it's quite comprehensive.

I hadn't heard of that program before. Based on what I read on their web page, it looks like it focuses on email attachments. It also looks like it handles the attachments very well and is able to discriminate in some cases between legitmate attachments and messy ones.

The Spam Tamer Proxy renames attachments based only on their file extensions. (It uses a user-configurable list.) It also can clean up HTML in email to block other potential problems. It is much easier to configure, but it still does require a little bit of basic computer skills.

Anyone who is interested should try both of them and see which one they like more.

I've been running E-mail Sanitizer for a few months. It has worked very well. It only tracks the attachments types instead of actually trying to identify viruses. Therefor it even finds most future Outlook-viruses.

I've been using The E-mail Sanitizer whcih is a procmail tool for catching these things. I've found it to be incredibly effective and so much easier than writing a procmailrc entry every time a new worm shows up. Since I put it on my system, not a single worm has made it to my desktop!

I tried this solution for a while too, but finally gave up on trusting the anti-virus vendors. After I got burned a few times by Norton coming out with an upgrade 2 hours AFTER I got infected, I stopped relying on it. I'm currently using the Email Sanitizer on my mail gateway. Instead of looking for virii (which will always be a try-to-stay-one-step-ahead-of-the-bad-guys type setup) I just have a list of attachments I don't allow. These happen to include all of the attachments that windows will execute on a double-click. I've gotten probably 400 klez for my domains over the last few weeks, and every one of them has been blocked. Since 99% of the virii that come into my network come through email, this has all but eliminated our problems.

From the article:


The biggest developments are around email prevention, experts say. Elaborate content filtering software, which can run upwards of $30,000 to install, can block all but the tamest incoming emails, and most attachments, said Trend Micro's Genes.
...
But instituting these new security measures can be a costly and labor-intensive investment, experts say, likely discouraging firms with meager IT budgets from upgrading beyond the status quo. "It's a question of resources," said a spokeswoman at UK-based Sophos Anti-Virus. "If you have one or two guys implementing IT at your organization, it's not going to make much sense."


What a crock... I am a network administrator (and basically the ONLY IT employee) for a small company of about 50 people and using some procmail scripts on our FreeBSD mail server, have been able to accomplish this with probably about 3 hours total of set up time. For those interested, here's a URL to a FREE solution to blocking e-mail attachments based on extensions, filenames, and even content (it can scan for Office document macros). Procmail Security

Since I've been there, we've had absolutely ZERO e-mail based viruses/worms that penetrated the desktop through our mail server (One did get through but that was through an executive's AOL account...)

So far, most employees have been very cooperative towards the policy and are grateful that they don't have to be so worried when they read about e-mail viruses going around because the server automatically mangles or quarantines viruses that match the ruleset we implemented.

http://www.impsec.org/~jhardin/
Should have been written as

<A HREF="http://www.impsec.org/~jhardin/">http://w ww.impsec.org/~jhardin/<A>

http://www.impsec.org/~jhardin/

Does not play well with Mozilla

Annoying, huh? The rev we have browser sniffs and denies mozilla. But if you use IE and then bookmark the logon page, then use THAT in mozilla, it works just fine...

The other annoying thing, from a tech standpoint, is that my department used to run the mail servers and used procmail scripts to filter out all the bad and dangerous "active" mail content. Pipeline's backend mail server can't use procmail so we're now having problems with users and stupid dangerous attachments. Also, no spam filtering, etc, etc...

From what I saw at Symantec's page the E-mail sanitizer made by John D. Hardin may help you to deal with this worm. Sanitizer can be found at here and is designed for usage on mail servers with perl and either sendmail or qmail installed.

I'm using this sanitizer for about a year and I'm very content - it saved me a lot of headaches.

http://www.impsec.org/email-tools/procmail-securit y.html

I have to plug something here.

Check out the procmail-based scanner at impsec.org

If you can set it up, do so - it's saved my ass quite a few times, by mangling active html content and renaming file extensions etc. It can also scan M$ docs for sus looking macros.

The following is something I received today that would slip through otherwise (notice the original content-type)

> SECURITY WARNING!
>
> The mail system has detected that the following
> attachment may contain hazardous program code, is
> a suspicious file type, or has a suspicious file name.
> Do not trust it. Contact your system administrator immediately.
>
> X-Content-Security: [www.ccimackay.com] original Content-Type was audio/x-wav;
> Content-Type: application/octet-stream; name="HUMOR.MP3.27525DEFANGED-scr"
> Content-Transfer-Encoding: base64
> Content-ID:
>

End of blatant plug :-)

Better yet, run a procmail santizer and zap all executables before moron users can get to them:

http://www.impsec.org/email-tools/procmail-securit y.html

As I support someone intelligent users, we allow the files through, but modify the extension to add DEFANGED-, so that they can scan and rename them if they like.

It's nice for blocking HTML with imbeded IMG links to porn, etc., as well.

In outlook xp, you have to edit the registry if you want to be able to open

That'd be great except that not everyone can afford Office XP.

We're stuck with office 97 because to upgrade to Office(n+1) is equivalent to a *whole years wages* for one of our employees.

I'd prefer to keep that employee, as they are the ones making the money :-)
It's a non-issue if you can install an upstream filter to weed out all the executable attachments.

I like this procmail scanner myself

Code Red, Sircam... they are just the tip of the iceberg. Can you imagine what would happen if a virus similar to Code Red were infecting windows 95/98/Me boxes instead of those running NT/2000 with IIS. ISP's and other corporations need to seriously look at installing filters such as the procmail sanitizer. I have installed this on several system's and it catches over 150 viruses a day, and notifies those infected on how to remove the virus from their system. It's only a matter of time until the Next Code Red hits... one that isn't so easily tracked and acts with a lot more malice (ie. random smurfing/flooding, reg eating, changing number's in excell doc's, reformating outgoing e-mail, posting personal information to usenet, ect.)

It's been said by many many times: Linux makes an excellent antivirus tool. Why? Well, because...it's Linux. But really, because of it's immunity to viruses in the first place. (Let's ignore the spread of things like ramen as they work differently than Outlook Transmitted Diseases (OTDs))

Linux as you mail server? Check out Enhancing E-Mail Security With Procmail to send this nasty crap to /dev/null automatically. If the user can't run it in the first place...

How about taking it a step further and having you Linux box scan all incoming e-mail for virisus? See Amavis and others

If you're using Linux as your file server, invest in some linux based antivirus software. Let linux scan away at your uses Windows files and keep them virus free using an OS they can't infect in the first place.

If you're a network admin, and you don't take counter measures from preventing your users from infecting themselves and others, your a part of the problem as the virus writer. Educate your users, use counter measure that prevent your users from getting the virus in the first place, etc. etc. etc.

--

I just installed this and it rocks: html-trap.procmail I haven't found any complaint with it yet.

Boss of nothin. Big deal.
Son, go get daddy's hard plastic eyes.

Or at the very least a way to ensure mail you send or receive doesn't have Javascript. Use procmail to "DEFANG" the dangerous content of the email. This is a very good way of sanitizing email.

Don't know if it works with iptables or not.
--

I've set up at least a dozen qmail servers: small ones, big ones, red ones, blue ones...

Sendmail's a whore, and that's really the only other Linux MTA I've used. I've heard good things about Postfix but seriously I haven't found a single thing wrong with qmail:

• It's small and fast
• infinitely configurable
• handles aliases and virtual domains easily
• antispam features
  • RBL and ORBS patches
  • tarpitting patches
• Works with AOL DNS hacks
• bigserver patches
• simple to add "defang" and virus scans
• POP3 and IMAP capable
  • With optional APOP and selective relaying
• Maildir mailbox format better than anything else
• web-adminnable
• Plugin for mailing lists
  • automatic archiving and web indexing
• Third party support available

Jesus I have a lot more respect to the link crazy posts out there. :-)

At any rate -- I've run it for years now and never had a problem. The servers just work. We've used an alias system and serialmail to allow branch offices to pick up mail for their local users without requiring a permanent net connection. The ability to run any program on receipt of a message or delivery to a specific address is very handy, as is the ability for individual users to tailor their own mail deliveries and create their own mailing lists and aliases. Very powerful and very cool.

And, despite what some others have said about the brain damage involved in adding features to the source code: it's not that bad. I do wish, however, that there were at least some comments... The total lack of comments and useful variable names are a hindrance.

Go get it. Install it. Love it.

I really don't know what the filter's name is but I do know that it stops known files, mangles attachment extensions, mangles IMG tags and a whole other truck load of stuff, best of all it doesn't interfere with anything but depends on procmail of course.

Here's a link to the homepage.

It is score based, runs really fast, sanitizes headers, HTML and MIME attachments - since it's based on the procmail ruleset, it can easily be adapted to your needs. It features external "poisoned" files (and extensions) that you can block off.

I've been using it since 1.088 (I think) and I've had no bad things to say about it!