Security Basics mailing list archives

Re: File Catching Firewall?

From: Brian Guy <brian () sambizsys com>
Date: Mon, 09 Feb 2004 11:01:44 -0800

we're currently letting zip through, but we may block in the future.

Josh Mills wrote:

are you also stripping *.zip attachments. the only mydoom e-mails i recieved were the ones packaged as zip files. the 
rest were wither stripped or blocked by a dnsbl or my spam killer.

-----Original Message-----From: Brian Guy [mailto:brian () sambizsys com]Sent: Sat 2/7/2004 12:03 AMTo: 'securityfocus'; jhaith () genesissys comCc:Subject: Re: File Catching Firewall?

We managed to not get a single MyDoom e-mail with the config below.This approach blocks about 95% of our spam overall.

        
        1.  Postfix 2.0 does initial blocks for obvious spam (e.g., DNS
        blacklists for open relays, spoofing our IP in HELO, etc.).  See
        O'Reilly book on Postfix 2.0 for more info.
        
        2.  Advosys Mail Filter filters out dangerous attachments, as defined by
        you.  You decide what file extensions can come through, what gets
        blocked.  We block all executable and script extenstions, but we allow
        PDF and a few others.
        
        3.  SpamAssassin does content based filtering and some additional DNS
        blacklist lookups that we didn't want to block at the MTA level (due to
        risk of false positives).  We significantly raised the scores assigned
        to some of the DNS blacklists so that the messages will get tagged as
        spam, but they don't immediately bounce as do the DNS blacklist checks
        we do at the MTA level.
        
        I never saw any MyDoom messages with the attachment stripped by Advosys,
        so all of our MyDoom mail apparently got stopped by Postfix.  I'm still
        in shock that none got through.
        
        Regardless of whether you do the Postfix filtering, Advosys should do
        what you're wanting.  Just search for it on Google and you should find
        the source code (it's just a Perl script if I remember correctly).
        
        Good luck!
        
        >-----Original Message-----
        >From: Jason Haith [mailto:jhaith () genesissys com]
        >Sent: 3. februar 2004 22:08
        >To: securityfocus
        >Subject: File Catching Firewall?
        >
        >Was asked to look into maybe putting in a Linux box in front of our mail
        >server to stop the massive amounts of email attachments we have been
        >receiving as of late due to 'MyDoom'. We currently have a WG FireBoxII and
        >software on our Mail Server that is supposed to be catching everything, but
        >with so much coming in it's missing alot. I was wondering if anyone had any
        >ideas on some type of solution for this, all input is greatly appreciated.
        >Thank you.
        >
        >Jason Haith
        >Genesis Systems
        >
        >
        >---------------------------------------------------------------------------
        >Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
        >course! All of our class sizes are guaranteed to be 10 students or less.
        >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
        >and many other technical hands on courses.
        >Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off

>any course!>----------------------------------------------------------------------------

        >
        >
        >
        >
        >
        >---------------------------------------------------------------------------
        >Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
        >course! All of our class sizes are guaranteed to be 10 students or less.
        >We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
        >and many other technical hands on courses.
        >Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off

>any course!>----------------------------------------------------------------------------

>>

        
        ---------------------------------------------------------------------------
        Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any
        course! All of our class sizes are guaranteed to be 10 students or less.
        We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention,
        and many other technical hands on courses.
        Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off

any course!----------------------------------------------------------------------------


---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
----------------------------------------------------------------------------

Current thread:

Re: File Catching Firewall?, (continued)
- - Re: File Catching Firewall? Steve (Feb 06)
- Re: File Catching Firewall? Peter Koinange (Feb 05)
- RE: File Catching Firewall? Stian Holm (Feb 06)
  - Re: File Catching Firewall? Brian Guy (Feb 09)
- Re: File Catching Firewall? Alex Pimperton (Feb 05)
- RE: File Catching Firewall? Tony Kava (Feb 05)
- RE: File Catching Firewall? Tim Ballingall (Feb 05)
- RE: File Catching Firewall? Keith T. Morgan (Feb 06)
- RE: File Catching Firewall? Joe DeMarco (Feb 06)
- RE: File Catching Firewall? Josh Mills (Feb 09)
  - Re: File Catching Firewall? Brian Guy (Feb 09)
- RE: File Catching Firewall? Megan Golding (Feb 09)
- RE: File Catching Firewall? Josh Mills (Feb 10)
  - Re: File Catching Firewall? crtech (Feb 13)
- RE: File Catching Firewall? Josh Mills (Feb 16)