Slashdot Mirror

← Back to Stories (view on slashdot.org)

Defending Your Mail Server?

Posted by Cliff on from the battening-down-the-hatches dept.

soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?

6 of 72 comments (clear)

  1. Best fix so far.... by hawkbug · · Score: 4, Informative

    The best fix I have found so far is to analyze all those "fake" messages, appearing to come from you to other people, and even the messages flooding into some of your user's inboxes. I found that that I was getting about 200+ messages an hour, to several mailboxes. The good thing I discovered about these is that they call came from the same cable modem-based ip address. So, the easy and obvious solution - add the ip to /etc/hosts.deny. Also, add the ip to your firewall to get denied, and to /etc/mail/access. Even if you don't use Linux (sendmail more specifically) for your mail server, you can also block incoming traffic in Exchange 2K. We did that as well. Soon after I did that, the generic bounce back messages stopped, and all was well again.

    1. Re:Best fix so far.... by shamino0 · · Score: 5, Interesting
      In the case of SoBig, you've got an advantage that you don't necessarily get from other worms.

      According to Symantec, SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.

      This gives you two advantages.

      First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.

      The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.

      Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.

  2. Re:Sobig - 50% of our mail traffic. by aridhol · · Score: 4, Interesting
    However, for AOL and Earthlink to blacklist you based on false 'From:' entries is just stupid
    Amen. The way I'd configure it:
    • Get a virus scanner, set to auto-update
    • Scan all incoming emails
    • When a server passes a certain threshold of incoming, virus-laden emails, block it
    • When a netblock passes a certain threshold of blocked hosts, block the netblock. This should block the ISP's mail server if their customers are sending out directly due to the virus.
    • After a specific amount of time, but hosts and netblocks into a greylist. When you're on the greylist, one offence gets you back into the blacklist.
    • After a specific amount of time on the greylist, remove them from the blocks entirely
    --
    I can't say that I don't give a fuck. I've just run out of fuck to give.
  3. Re:Do not use Outlook, etc. by questionlp · · Score: 4, Informative

    Don't forget that there are mail clients (iirc - Eudora is one) that use the HTML rendering component used by IE. Which means that the mail client is just as vulnerable as Outlook Express or Outlook if the user's IE install is not up to date.

  4. Re:Do not use Outlook, etc. by Matts · · Score: 5, Insightful

    This is a common misconception by geeks who are smug because they didn't get infected with Sobig.

    Sobig didn't use any exploits. It was just a plain old .EXE attached to an email. Outlook prompted the user when they tried to run it telling them that exes often contain viruses. But they still ran it.

    This behaviour is the same in Thunderbird and other windows mail clients. It's even the same in Apple's Mail.app.

    Don't be a bigot and assume you're immune because you don't run Outlook.

    --

    Matt. Want XML + Apache + Stylesheets? Get AxKit.
  5. Email Virus: Get it right by cmowire · · Score: 4, Informative

    Actually, it's an email virus, not an Outlook virus.

    It uses a efficent multi-threaded internal mail engine that uses any available mail addresses it can find on your system (browser cache, address book -- which Domino will register itself as too, etc).

    It spreads because people are generally stupid and will open up attachments.

    Outlook is not needed. It can even spread if you are using webmail.

    --
    Gentoo Sucks