Firewall Wizards mailing list archives
Re: Securing email by inhibiting urls
From: Marcus Ranum <mjr () ranum com>
Date: Fri, 12 Aug 2011 16:52:14 -0400
Jean-Denis Gorin writes:
1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM, commercials from vendors, invitations to shiny conferences, etc.) 2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link is needed, please contact the sender of the message' https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
I saw a company that did that, years ago. They had all incoming mail go through
mimedefang and all URLs got converted to https:-URL pointing to their proxyserver, which required a login. They also had a whitelist ruleset in the rewrite, so that some URLs didn't get rewritten on a case-by-case basis. Anything with metacharacters or on a blacklist got rewritten to a warning. That was the first
layer. The other thing they did was all attachments got stripped, and decoded and stored in a queue area on their IMAP server, where it was accessible over https: and the URLs to the attachment were injected back into the message. So if you got a jpeg, you got (jpg annakournikova.jpg is accessible here: https://popserver.company.com/attachments/mjr/xfaa837-annakournikova.jpg ) instead of the inlined data. As you can imagine that was unpopular with some people because there were then very good logs of who was accessing what and when and why. The other thing they did that was extremely cute was the queue folders were remote-mounted from a windows box using smbmount, and the windows box had a variety of antivirus products installed on it, so when something got spooled to a user's queue, if it set of the A/V, it would just delete the file and if the user clicked on it they got a 404. Otherwise they got their data. They had some admin foo where any administratorcould flag an attachment as bad, and it'd automatically delete any other copies
of it (this was back when all versions of a piece of malware were the same - 1999!) in the queue area. They also did other nice stuff like block any HTML email that had operators that weren't on a small white-list.I thought it was pretty cool, and it took their admin a couple days to set up using basic open source tools. It scaled really well, too. Of course the users
moaned and whined - but it was a security consultancy that was under afairly high level of attack and they were able to actually overrule the users
for a change. Those days are probably over now that facebook is a "mission critical app" for so many companies.* mjr. -- Marcus J. Ranum CSO, Tenable Network Security, Inc. http://www.tenable.com (* that was sarcasm) _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Securing email by inhibiting urls Chris (Aug 10)
- Re: Securing email by inhibiting urls Mathew Want (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 11)
- Re: Securing email by inhibiting urls Jean-Denis Gorin (Aug 12)
- Re: Securing email by inhibiting urls Marcus Ranum (Aug 12)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Timothy Shea (Aug 11)
- Re: Securing email by inhibiting urls Mathew Want (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 11)
- Re: Securing email by inhibiting urls Kurt Buff (Aug 11)
- Re: Securing email by inhibiting urls Victor Williams (Aug 11)
- Re: Securing email by inhibiting urls Chris (Aug 12)
- Re: Securing email by inhibiting urls Paul D. Robertson (Aug 12)
- <Possible follow-ups>
- Re: Securing email by inhibiting urls Chris (Aug 11)