Firewall Wizards mailing list archives
Re: Securing email by inhibiting urls
From: "Chris" <chughes () l8c com>
Date: Thu, 11 Aug 2011 23:37:26 -0400
Thanks for the response. 1. We block china but that doesnt stop mail being sourced from a hacked American company 2. We don't allow any webmail access from our site. For business reasons we are not allowed to block mail from anything but "freemail" sites like gmail, hotmail etc. 3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus protecting all mail servers. We don't have issues with executables etc in mail as attachments. We mostly see encrypted .zip or Ms Excel/Word attachments in emails made to look like they are coming from someone friendly. The well trained employee with a short memory or bad recall clicks the attachment or url linked to a file and game is over. These are zero day payloads that are not detected by anyone. We have spent lots of money getting them reverse engineered and the security firms are impressed. We can block all attachments but that doesn't stop a user clicking a link to a hacked ford.com page that delivers payload (making this up but its not far from true). With business constraints etc, our best option now is to strip/modify urls/links in emails but our current systems don't have that feature. From: Mark E. Donaldson [mailto:markee () bandwidthco com] Sent: Thursday, August 11, 2011 8:51 PM To: chughes () l8c com; Firewall Wizards Security Mailing List Subject: RE: [fw-wiz] Securing email by inhibiting urls You need to re-think how you handle mail. Two things: 1. Take out all Chinese IP addresses at the firewall. Nothing of value comes out of China. 99% of it is toxic. Why let them even have a chance? 2. Direct webmail over the internet is dangerous at best. You need to set up an SMTP mail proxy on your system that receives, processes, and either accepts or rejects all incoming email. Use Sendmail + MailScanner + SpamAssassin + Clamav. Won't cost you a cent and will take all bad stuff out as you instruct it to do. 3. Mail that makes it through the proxy should then be directed to the webmail server. It will be safe and clean. From: firewall-wizards-bounces () listserv cybertrust com [mailto:firewall-wizards-bounces () listserv cybertrust com] On Behalf Of Chris Sent: Monday, August 01, 2011 11:47 AM To: firewall-wizards () listserv cybertrust com Subject: [fw-wiz] Securing email by inhibiting urls A company I work for has been having great difficulty in securing against email attacks. So far we have disabled access to webmail, implemented rules and processes to block freemail services like hotmail etc until the sender registers the address and of course a spam filter (BrightMail). Attachment filtering is pretty strict as well. The threat that presents the biggest challenge is url links in emails. The common method of attack is an email from somedomain.com where they change one character or otherwise make the address look valid (ie: joe () s0medomain com or j0e () somedomain com etc). I was looking for a way to spot and block hyperlinks but it looks like the only option I have is to filter on these and send them to a spam bin. I'd rather yank the offending hyperlink and replace it with a message of some sort. Unfortunately BrightMail doesn't offer that capability. Any products that do this or ideas on a solution? Thanks -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security is for your absolute protection. -- This message has been scanned for viruses and dangerous content by <http://www.mailscanner.info/> MailScanner, and is believed to be clean. MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security is for your absolute protection.
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Securing email by inhibiting urls, (continued)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 11)
- Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
- Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
- Re: Securing email by inhibiting urls Victor Williams (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 12)
- Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)