Firewall Wizards mailing list archives
Re: Securing email by inhibiting urls
From: Timothy Shea <tim () tshea net>
Date: Thu, 11 Aug 2011 17:20:27 -0500
You are focusing on the wrong problem. If desktops are being infected then your desktop, anti-spam, and web browsing controls are all weak. Eliminating "links" in e-mail is going to accomplish nothing. A commercial web content filter for web browsing will go a long way to resolving your issues. Most commercial content filters are continuously updated throughout the day and much can be filtered out via categories. We went from several desktop issues a day to one desktop issue a week after implementing a commercial web proxy. We then updated the browser and implemented a new anti-virus solution. The desktop environment has now gone completely stable. We've hadn't had a serious issue in months freeing up our time to do other things. You should also evaluate your desktop hardening and patching processes. t.s On Thu, Aug 11, 2011 at 6:37 AM, Chris <chughes () l8c com> wrote:
This wont work. This site is under constant attack from China and randomly hacked domains that are used as relays are not on any watch lists. We are talking zero day here. There are no signatures for the payload if a user clicks these links. Right now user awareness is our best line of defense and we all know how reliable that is. Until I can disable a users ability to click a url in an email that appears to come from a trusted source, I'm fighting constant infection. We regularly spot infections (read WE, not our security systems), that are resident in our network and have been there days/weeks/months. We currently have at least one that we are watching to see what it is trying to do before shutting it down.... -----Original Message----- From: Mathew Want [mailto:imortl1 () gmail com] Sent: Thursday, August 11, 2011 1:19 AM To: chughes () l8c com; Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] Securing email by inhibiting urls Perhaps it may be worth looking at it from the other angle. If you have URL's being accessed from your environment (from emails or other sources) these can be channeled via a proxy on the client end. You could then control the URL categorization and/or blocking via that method. Many proxy services get updates of known bad domains and block these automatically (similar to AV updates). This is not directly tied to the mail system, but should give you an option to still control the outbound requests to attack URL's. Just a thought. -- Regards, Mathew Want On 2 August 2011 04:46, Chris <chughes () l8c com> wrote:A company I work for has been having great difficulty in securing against email attacks. So far we have disabled access to webmail, implemented rules and processes to block freemail services like hotmail etc until the sender registers the address and of course a spam filter (BrightMail). Attachment filtering is pretty strict as well. The threat that presents the biggest challenge is url links in emails.Thecommon method of attack is an email from somedomain.com where theychangeone character or otherwise make the address look valid (ie: joe () s0medomain com or j0e () somedomain com etc). I was looking for a way to spot and block hyperlinks but it looks liketheonly option I have is to filter on these and send them to a spam bin.I’drather yank the offending hyperlink and replace it with a message of some sort. Unfortunately BrightMail doesn’t offer that capability. Any products that do this or ideas on a solution? Thanks _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards-- "Some things are eternal by nature, others by consequence" _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-- Tim Shea, CISSP 612-384-6810 tim () tshea net http://www.linkedin.com/in/timothyshea
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing email by inhibiting urls Chris (Aug 10)
- Re: Securing email by inhibiting urls Mathew Want (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 11)
- Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
- Re: Securing email by inhibiting urls Mathew Want (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
- Re: Securing email by inhibiting urls Victor Williams (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 12)
- Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)
- <Possible follow-ups>
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Ilias - (Aug 11)