Slashdot Mirror
Defending Your Mail Server?
soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?
My friend was complaining about getting spam and viruses yesterday, so I told him where to get Thunderbird. He wasn't very tech-savvy, but with a few words of help from me he was up and running in a matter of minutes.
Seriously. Pushing non Microsoft email clients on your users (politely, anyways) is the way to go.
no thanks
We're a small (100 person) company that averages about 4,000 internet emails a week (excluding spam, which adds another 1,500 - 2,500 / wk). Since SoBig we've seen our traffic levels increase 50%. I've had 5,700 + SoBig mails since the start of the outbreak.
This isn't a problem for us (aside from annoying antivirus messages) as our bandwidth and mailservers can easily handle it, but I know some big companies had to shut down their internet-facing mail gateways due to the increase in volume. I suspect the more well-known your domain is, the worse it is.
However, for AOL and Earthlink to blacklist you based on false 'From:' entries is just stupid. Are you sure they've blacklisted you?
Can't sendmail be set up to check the Message-ID and make sure that it is an ID which was actually sent? Alternatively, just block "Message Undeliverable" messages.
According to Symantec, SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.
This gives you two advantages.
First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.
The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.
Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.
I work for a medium sized Engineering & Telecommunications firm (>500 employees all over the east coast). I have a mail filter set up on an intermediate MTA to catch all executable files. This includes .PIF, .BAT, .SCR, .EXE, .COM, etc. When a file of this type comes in, it is parked in a holding folder for 7 days. A notification message is sent to the recipient and back to the sender (I, know this sucks, but bear with me a second) with instructions on how to send another email back with a release code in the subject. When the message with the release code is received by the MTA, it continues delivering the original email to our actual mail server. If no message is received in 7 days, the original mail is deleted.
Now, once the SoBig hit, I made a seperate rule to catch just those files. No notifications were sent. It parked them for 4 days then deleted them. In that time, I've written a small script** that parses the header of all parked files every morning at 7:45am. It grabs the IP# of the originating computer and tosses it into a spreadsheet. Once it has done all parked messages, it tally's them up and sorts them by the most common appearing numbers. Then, when I get in at 8am, I do a WhoIs lookup on the IP as well as an nslookup. I try and contact the owner of the netblock and notify them that they have a computer infected with SoBig on their network and it is attacking us. I have yet to have anyone that hasn't co-operated fully (though, Comcast took a bit of prodding). My worst case was a 3 day period where a single cable modem user in Philadelphia on Comcast.net sent us ~13,000 Sobigs a day. Just this morning I had to contact an ISP/Network Security company in NYC to have a machine there cleaned.
I know it's not my responsibility to see that other people clean their machines, but it is affecting our productivity at work. At the height of the infestation, we were receiving over 28,000 SoBig viruses a day. At ~100Kb each, it was causing massive delays in the mail queue. Keep in mind that most people don't even realize they are infected with it, so they need to be notified so that they can clean it.
-Ab
ps. The script is fairly simple because the built in mail transfer agent in the SoBig is basic (Though I was impressed at the spoofed header-field, X-MailScanner: Found to be clean, that says it's been checked by SpamAssasin(?) and is not Spam. If anyone is interested in the script (it is a VB executable, but I can send the source code or psuedo-code so it can be recreated in perl/python) let me know.
Nothing fails quite like prayer.
I like Postfix and SpamAssassin: http://cs.stadia.fi/~pkoistin/setting_up_spamassas sin_with_postfix.shtml