Defending Your Mail Server?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Friday September 5, 2003 @07:45AM from the battening-down-the-hatches dept.

soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?

2 of 72 comments (clear)

Min score:

Reason:

Sort:

Re:Best fix so far.... by shamino0 · 2003-09-05 09:13 · Score: 5, Interesting

In the case of SoBig, you've got an advantage that you don't necessarily get from other worms.
According to Symantec, SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.
This gives you two advantages.
First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.
The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.
Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.
Re:Do not use Outlook, etc. by Matts · 2003-09-05 10:43 · Score: 5, Insightful

This is a common misconception by geeks who are smug because they didn't get infected with Sobig.

Sobig didn't use any exploits. It was just a plain old .EXE attached to an email. Outlook prompted the user when they tried to run it telling them that exes often contain viruses. But they still ran it.

This behaviour is the same in Thunderbird and other windows mail clients. It's even the same in Apple's Mail.app.

Don't be a bigot and assume you're immune because you don't run Outlook.

--

Matt. Want XML + Apache + Stylesheets? Get AxKit.