Re: Securing email by inhibiting urls

[Marcus Ranum <mjr () ranum com>]

Jean-Denis Gorin writes:

> 1- convert ALL incoming email to text/plain format (all those HTML formated emails from outside are bullshit: SPAM, 
> commercials from vendors, invitations to shiny conferences, etc.)
> 2- substitute ALL URL with 'that link was removed for security reason [*]', with [*] stating: 'if access to that link is 
> needed, please contact the sender of the message'
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

I saw a company that did that, years ago. They had all incoming mail go 
through
mimedefang and all URLs got converted to https:-URL pointing to their proxy
server, which required a login. They also had a whitelist ruleset in the 
rewrite,
so that some URLs didn't get rewritten on a case-by-case basis. Anything 
with
metacharacters or on a blacklist got rewritten to a warning. That was 
the first
layer.

The other thing they did was all attachments got stripped, and decoded and
stored in a queue area on their IMAP server, where it was accessible over
https: and the URLs to the attachment were injected back into the message.
So if you got a jpeg, you got
(jpg annakournikova.jpg is accessible here:
https://popserver.company.com/attachments/mjr/xfaa837-annakournikova.jpg )
instead of the inlined data. As you can imagine that was unpopular with some
people because there were then very good logs of who was accessing what
and when and why. The other thing they did that was extremely cute was the
queue folders were remote-mounted from a windows box using smbmount,
and the windows box had a variety of antivirus products installed on it, so
when something got spooled to a user's queue, if it set of the A/V, it would
just delete the file and if the user clicked on it they got a 404. Otherwise
they got their data. They had some admin foo where any administrator
could flag an attachment as bad, and it'd automatically delete any other 
copies
of it (this was back when all versions of a piece of malware were the
same - 1999!) in the queue area. They also did other nice stuff like block
any HTML email that had operators that weren't on a small white-list.

I thought it was pretty cool, and it took their admin a couple days to 
set up
using basic open source tools. It scaled really well, too. Of course the 
users
moaned and whined - but it was a security consultancy that was under a
fairly high level of attack and they were able to actually overrule the 
users
for a change. Those days are probably over now that facebook is a
"mission critical app" for so many companies.*

mjr.

--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenable.com
(* that was sarcasm)

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards