Re: Securing email by inhibiting urls

[Victor Williams <vbwilliams () gmail com>]

Cisco Ironport or McAfee's two offerings:  Email & Web Security Appliance or
Email Gateway.

The McAfee products used to be Secure Computing's Ironmail appliances, but
were bought with the Secure Computing acquisition.

Additionally, you should implement a true URL and content filtering service.
 Even if an email gets through here or there, clicking on the link in it
will do more or less nothing if you have a "good" content-filtering proxy.

At my last job, we implemented McAfee's Email Gateway which filtered out a
very high percentage of junk incoming--you have to turn it on and take a lot
of time configuring/tweaking it.  We also used Trend Micro's InterScan Web
Security product for web content filtering.  The Trend-Micro product is
based on Squid and some other open and non-open source products.  We didn't
want to take the time rolling our own Squid-based solution, and instead paid
for that one.  Ran both for a year+ without any known infections.

I do know that we had all of the popular safeguards turned on on the McAfee
appliance(s).  SPF checking, blacklist checking with 4 different blacklists,
reverse DNS lookup on the sending IP address, etc.  We also only allowed
delivery to addresses that could be verified valid by looking them up in
Active Directory.  If some server was attempting to send to a bunch of
addresses that didn't even exist in our environment, that server was
automatically banned from sending emails to us for X amount of time.  This
cut down on a LOT of junk.

Disabling all the tools that people need to do their jobs won't help the
situation.  You need to get a good all-around solution and customize it to
your environment--put a LOT of time into configuring and testing it.  It
took me personally about 40 hours to get the McAfee appliances working
exactly how I wanted them to.


On Thu, Aug 11, 2011 at 8:40 AM, Raphael Rivera <rafinous () yahoo com> wrote:

> Chris,
>
> Have you all tried barracuda spam firewall?
>
> Sent from my iPhone
>
> On Aug 1, 2011, at 2:46 PM, "Chris" <chughes () l8c com> wrote:
>
> A company I work for has been having great difficulty in securing against
> email attacks.  So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.****
>
> ** **
>
> The threat that presents the biggest challenge is url links in emails.  The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> <joe () s0medomain com>joe () s0medomain com or <j0e () somedomain com>
> j0e () somedomain com etc).****
>
> ** **
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin.  I’d
> rather yank the offending hyperlink and replace it with a message of some
> sort.  Unfortunately BrightMail doesn’t offer that capability.****
>
> ** **
>
> Any products that do this or ideas on a solution?****
>
> ** **
>
> Thanks****
>
> _______________________________________________
>
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards