Slashdot Mirror
Defending Your Mail Server?
soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?
I think I've been blacklisted from AOL and Earthlink.
You're complaining about this?
In all seriousness, if you're getting blacklisted because of Sobig mails, then you're really better off without dealing with those people.
If tits were wings it'd be flying around.
The real solution to this problem is built-in virus filtering (with hourly updates). Every pieve of mail going through our server is spam and virus checked. The result? about 50000 blocked virus-emails since August 16th this year, and not a single problem with our users. And the cost is only a few hundred bucks per year.
Reinard
But I'm not sure about blacklisting -- perhaps we have been blacklisted by Yahoo come to think of it. I work for a television station and a lot of our on-air talent get 50+ a day.
YES, there is a McDonald's in Hanoi Square.
My friend was complaining about getting spam and viruses yesterday, so I told him where to get Thunderbird. He wasn't very tech-savvy, but with a few words of help from me he was up and running in a matter of minutes.
Seriously. Pushing non Microsoft email clients on your users (politely, anyways) is the way to go.
no thanks
We're a small (100 person) company that averages about 4,000 internet emails a week (excluding spam, which adds another 1,500 - 2,500 / wk). Since SoBig we've seen our traffic levels increase 50%. I've had 5,700 + SoBig mails since the start of the outbreak.
This isn't a problem for us (aside from annoying antivirus messages) as our bandwidth and mailservers can easily handle it, but I know some big companies had to shut down their internet-facing mail gateways due to the increase in volume. I suspect the more well-known your domain is, the worse it is.
However, for AOL and Earthlink to blacklist you based on false 'From:' entries is just stupid. Are you sure they've blacklisted you?
First of all, use software that is more secure that microsoft's.
Secondly, and more seriously, email providers should have virus scanning on their servers, so even if someone out there is infected, their virus messages are cleaned before the users see it, which will help keep the infection from spreading.
Finally, all end users should be following safe computing practices. This includes making sure that you have up to date virus protection as well as being smart about your email, such as not opening mysterious messages/attachments.
The best fix I have found so far is to analyze all those "fake" messages, appearing to come from you to other people, and even the messages flooding into some of your user's inboxes. I found that that I was getting about 200+ messages an hour, to several mailboxes. The good thing I discovered about these is that they call came from the same cable modem-based ip address. So, the easy and obvious solution - add the ip to /etc/hosts.deny. Also, add the ip to your firewall to get denied, and to /etc/mail/access. Even if you don't use Linux (sendmail more specifically) for your mail server, you can also block incoming traffic in Exchange 2K. We did that as well. Soon after I did that, the generic bounce back messages stopped, and all was well again.
The usefulness of E-Mail is slowly being destroyed by Spammers. There has been a few times now that I couldn't either send or receive an e-mail because of blackholes and I get more spam everyday. Is there anything new on the horizon to prevent spam? Laws, Filters, Blackholes, and Whitelists seem unable to do anything about this problem.
Maybe we should just start suing the companies that use Spammers. (Some will deny knowledge of any spamming but ignorance of who is doing your advertising is no excuse IMO.)
One of our users here had his email address in the documentation of a wildly distributed utility - ghostscript. Personaly, he was getting more then 10,000 messages per day.
In Democratic America, Outlook uses YOU!
SCO (noun.)- A Slimy Corporate Ogre. Often seeks free money.
RFC2821 requires the HELO/EHLO to be fully qualified. Most (all??) sobig EHLO with the Windows netbios name.
Sure, the next virus might be more RFC compliant but it stops this one. We already require FQDN EHLO to reduce spam so sobig didn't make it past our mail server.
As a bonus, sobig seems to connect directly to the recepients MX so simply rejecting the message (as opposed to accepting a message and generating a bounce) reduces the overall impact on the network.
If you don't HELO with a FQDN then you aren't "speaking" SMTP so don't expect my SMTP server to communicate with you.
If you are running a corporate network where users shouldn't be making direct SMTP connections, filter outbound port 25 and use an IDS/log checking to see if someone inside has gotten infected.
~~~~~~~
"You are not remembered for doing what is expected of you." - Atul Chitnis
AOL blocks e-mail from servers that come from the mail servers of customers that use comcast, AT&T BroadBand, RoadRunner, and other broadband companies. I guess spammers were just setting up broadband accounts and spamming from them. Which is probably better than just exploiting insecure mail servers of unsuspecting victoms. But never the less, it has nothing to do with any sort of "email attack" or the like.
http://www.archive.org/details/ThePowerOfNightmares
nobody in my network (me and my wife) use outlook, and we're tucked safely behind a firewall. I've added about 10 DSL ips to my blacklist, but there is nothing I can do to prevent the spoofed outgoing messages from some other network. I'm still getting bounced email 'returned' to me that I never sent.
Can't sendmail be set up to check the Message-ID and make sure that it is an ID which was actually sent? Alternatively, just block "Message Undeliverable" messages.
Just set up filters based on the sobig subjects to delete them. No more messages.
I really don't think the problem will ever go away until SMTP is replaced with something that requires validation, etc. The problem is that SMTP (and many other standard protocols that have been around for many years) were pretty much designed with the assumption that all users would "play nice". Remember NNTP (news) "Netiquette" that said to put your email in each post you make? Who does that anymore?
assert(birth_date<time-86400)
Just so. Now what about all of the people who think they got junk spam from me?
I've been getting the messages myself, and not once has anyone written me about it thinking I really sent it. I'd imagine most people are getting these emails from a variety of fake addresses and have figured it out by now.
"how are you dealing with it?"
Microsoft free since February, 1997.
Everything in the Universe sucks: It's the law!
- The bounce back messages will always contain an SMTP status code like 5.1.1 (for user unknown).
- If the message that caused the bounce back really originated from the user, then the bounce back message will contain the user's Display Name as set in his or her email program (often Outlook Express). The display name can also be found in the "From" line next to the real email address, if you only have a legit message from the user and don't have access to information from his or her settings.
- If the message that caused the bounceback did not originate from the user, then that Display Name will not be present in the bounce back message.
Therefore, if a user's Display Name is "Foo Bar", and their email address is not the same as the Display Name (for example farboo@some.place), the following procmail script will stop most bounce back messages triggered by messages that did not originate from the user's computer, and should allow those that did:
* ^FROM_MAILER
* Status: 5.1.1
* ! Foo Bar
This would be placed in a .procmailrc file in the user's home directory and would only work if your mail server uses procmail for delivery. Also, I must mention that no content based filtering (such as this) can be 100% accurate.
Am I good? Am I good? I'm good. (Does a little dance).
- J. B.
This virus is a MS Outlook virus, not an email virus. If you made your users use an actually secure email program, you wouldn't have these problems. Something like Novell Groupwise or Lotus Domino would work.
Actually, it's an email virus, not an Outlook virus.
It uses a efficent multi-threaded internal mail engine that uses any available mail addresses it can find on your system (browser cache, address book -- which Domino will register itself as too, etc).
It spreads because people are generally stupid and will open up attachments.
Outlook is not needed. It can even spread if you are using webmail.
Gentoo Sucks
I would imagine (well, hope) that ComCast and AOL are filtering by IP Address rather than by domain from. (Either the From: header or the SMTP sender.) I'm hope the mail admins there know full well that from addresses in email are trivially faked. (And usually are in the case of spam and today's mass-mailing viruses.)
If they're filtering you, double check you're not infected with it perhaps? (And you're not an open relay and all those other normal things.) (You do virus scan incoming and outgoing email, right? You should. Scanning outgoing alerts you to any infections you have. And scanning incoming goes without saying.)
I know I've had to place a few IP based blocks on to reduce the incoming flood of Sobig. (100% of which was being delt to by (or at least defanged by) McAfee Webshield, but the notifications were getting annoying.)
And Sobig gets addresses from many many many places - not just Outlook lists.
Of course, there's no reason to think these undeliverable messages are actually in reply to your outgoing mail. In all probability, they're from various third parties infected and sending out apparently from your address and dumbass virus scanners send a "you've got a virus" message to the apparent from address.
Hint for mail admins running virus scanners: Do not notifiy the sender on reciept of a virus. You're sending it to the wrong person and only making things worse. Check the IP of the computer that sent it instead, and contact that administrator.
I run the three systems above (they all interact) on my server, and just on my personal account I've been filtering out 150 spam messages a day. Hundreds of viruses are being wiped on a daily basis.
:-)
Price? Zero. Zip. Nada. Clam Antivirus is free, as are the other two programs. Can't beat it. I can't understand why people spend hundreds of dollars on spam and virus programs when this is so effective. Spread the word
I work for a medium sized Engineering & Telecommunications firm (>500 employees all over the east coast). I have a mail filter set up on an intermediate MTA to catch all executable files. This includes .PIF, .BAT, .SCR, .EXE, .COM, etc. When a file of this type comes in, it is parked in a holding folder for 7 days. A notification message is sent to the recipient and back to the sender (I, know this sucks, but bear with me a second) with instructions on how to send another email back with a release code in the subject. When the message with the release code is received by the MTA, it continues delivering the original email to our actual mail server. If no message is received in 7 days, the original mail is deleted.
Now, once the SoBig hit, I made a seperate rule to catch just those files. No notifications were sent. It parked them for 4 days then deleted them. In that time, I've written a small script** that parses the header of all parked files every morning at 7:45am. It grabs the IP# of the originating computer and tosses it into a spreadsheet. Once it has done all parked messages, it tally's them up and sorts them by the most common appearing numbers. Then, when I get in at 8am, I do a WhoIs lookup on the IP as well as an nslookup. I try and contact the owner of the netblock and notify them that they have a computer infected with SoBig on their network and it is attacking us. I have yet to have anyone that hasn't co-operated fully (though, Comcast took a bit of prodding). My worst case was a 3 day period where a single cable modem user in Philadelphia on Comcast.net sent us ~13,000 Sobigs a day. Just this morning I had to contact an ISP/Network Security company in NYC to have a machine there cleaned.
I know it's not my responsibility to see that other people clean their machines, but it is affecting our productivity at work. At the height of the infestation, we were receiving over 28,000 SoBig viruses a day. At ~100Kb each, it was causing massive delays in the mail queue. Keep in mind that most people don't even realize they are infected with it, so they need to be notified so that they can clean it.
-Ab
ps. The script is fairly simple because the built in mail transfer agent in the SoBig is basic (Though I was impressed at the spoofed header-field, X-MailScanner: Found to be clean, that says it's been checked by SpamAssasin(?) and is not Spam. If anyone is interested in the script (it is a VB executable, but I can send the source code or psuedo-code so it can be recreated in perl/python) let me know.
Nothing fails quite like prayer.
Clam is also not the most resource efficient or scalable AV solution, which when you're running a half million messages a day to almost a hundred thousand users starts to matter.
I installed MailScanner with f-prot.. Now, I enjoy the silence.
I like Postfix and SpamAssassin: http://cs.stadia.fi/~pkoistin/setting_up_spamassas sin_with_postfix.shtml
Sobig exploits the known location of the Outlook address book, and uses that as a source of addresses for both target and false-source.
I am in fact immune to sobig, because I don't run Outlook, and therefore have no Outlook address book.
So, you are fundamentally incorrect and should not be modded INSIGHTFUL. Moderators take note.
Your link makes the same mistake. It doesn't call people bigots, though.
Do the experiment for real next time instead of constructing a faulty simulation.
The *BSD firewall package Pf allows for passive OS-detection. You could use this to block incoming and outgoing mail traffic from Windows machines on your network.
I've tried contacting the offending ISP's that are forwarding their user's W32.Sobig spew.
Both Bellsouth and Adelphia have been useless. Forward all the emails to our "abuse" address. The worm is supposedly deactivating its SMTP engine as of the 10th, so nobody is too concerned anyhow.
Meanwhile, because I don't serve my own email, and my host doesn't have (or allow) me rules-based filtering, I get stuck processing hundreds of worm emails from two big end-user offender morons.
Yeah team.
I blame the mass-ISPs as much as the idiot end-users. Sure, it takes somebody to open the attachment (but let's not forget M$Blaster...) but the days and days of aftermath are from the larger ISPs that won't take care of their own offenders.
Bad netiquette, bad net behavior, and a don'tgivearatsass attitude. Curse them.
-steve
Many of these viruses rely on the ability to act as a SMTP server on each infected machine, effectively bypassing any AV checks done on their users' MTA. To combat this I personally recommend redirecting tcp/25 (smtp and esmtp) and tcp/587 (mail submission) ports from you users/customer subnets at your border router to your MTA. That way you can force all SMTP traffic to be AV checked. Now this does prevent your users/customers from using an outside MTA. Most properly configured MTAs will reject these relay attempts anyways, unless of course the admin has configured SMTP-TLS or some other sort of SMTP authentication system. You must judge for yourself if you can redirect these ports. If your users are basic dialin customers then you can probably do it without any complaints. If you do this to DSL or cable customers then you may very well have some negative user feedback. Decide for yourself if this is something you can do. Nevertheless it is very effective at preventing these viruses from escaping your network. I also HIGHLY recommend redirecting all inbound SMTP traffic entering your network to your MTA. This prevents trojan SMTP relays on customer machines from relaying spam or viruses. Of course you must do this carefully and decide which subnets you can do this to. Give it a try if you think you can implement this without negative side effects.
Hi -
How about a pointer to the filtering/spam blocking service you have in place. I would like to get this for my server.
Yours,
Jordan
AOL is a complete bitch when it comes to blacklisting servers without cause.
For some fun, and hours of free muzac, call and try to walk them through whitelisting a server that's in a blacklisted ip block. Be sure to use "big words" like "SMTP" and "whitelist." (Preparing a TCP/IP firewall example that involves cartoon characters might help you get results sooner.)
You can't judge a book by the way it wears its hair.
But you are right, I was rude, because I felt the FUD factor of the original post warranted it.
And incidentally, you should specify which sobig you are talking about. The next one's due out rather soon, and we don't know what it will do yet.
Perhaps it will even infect smug rude people!
I am a bit late on this since Sobig stopped replicating on Sept. 10th. However, if you are looking into a spam control product as others have suggested, I hightly recommend Norman Spam Control. http://www.norman.com/products_nsc_features.shtml This product examines the headers and can determine whether the mail was mass mailed or generated by a virus. It has many nice features including scanning incoming your email for viruses with the company's av scanner, which is also second to none as they lead the AV industry in virus bulletin 100% awards (www.virusbtn.com) This product has worked flawlessly for my company.