Defending Your Mail Server? 72
soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?
I don't understand the problem (Score:2, Funny)
You're complaining about this?
In all seriousness, if you're getting blacklisted because of Sobig mails, then you're really better off without dealing with those people.
You might be one of their favorites. (Score:2)
For some fun, and hours of free muzac, call and try to walk them through whitelisting a server that's in a blacklisted ip block. Be sure to use "big words" like "SMTP" and "whitelist." (Preparing a TCP/IP firewall example that involves cartoon characters might help you get results sooner.)
Filters! (Score:1)
Re:Filters! (Score:1)
So our users get bouncebacks from non-valid emails, virus and filtering software that really aren't valid.
Re:Filters! (Score:2)
-Sean
Re:Filters! (Score:1)
Re:Filters! - A Solution (Score:2, Insightful)
- The bounce back messages will always contain an SMTP status code like 5.1.1 (for user unknown).
- If the message that caused the bounce back really originated from the user, then the bounce back message will contain the user's Display Name as set in his or her email program (often Outlook Express). The display name can also b
Re:Filters! (Score:2)
#1 -- this will catch anything with the "MailScanner" header that sobig uses.
#del sobig worms & sobig worm notifications
* ^X-MailScanner\: Found to be clean$
* ^X-Mailer: Microsoft Outlook
#/dev/null
$BACK/sobig_worms
#2
This one moves ALL bounces to a specific address (help@domain.com) to a folder.
Note that this is not a very good idea, but is helpful if you have 1 or 2 addresses that are r
How about a pointer to these filters? (Score:2)
How about a pointer to the filtering/spam blocking service you have in place. I would like to get this for my server.
Yours,
Jordan
I tell them to ignore the bouncebacks (Score:1)
Do not use Outlook, etc. (Score:3, Interesting)
Seriously. Pushing non Microsoft email clients on your users (politely, anyways) is the way to go.
Re:Do not use Outlook, etc. (Score:4, Informative)
Re:Do not use Outlook, etc. (Score:2)
Re:Do not use Outlook, etc. (Score:1)
I live the ability to block remote images in Mozilla Mail... of course that is something that I don't have to worry about when using Mutt
Re:Do not use Outlook, etc. (Score:5, Insightful)
Sobig didn't use any exploits. It was just a plain old
This behaviour is the same in Thunderbird and other windows mail clients. It's even the same [perl.org] in Apple's Mail.app.
Don't be a bigot and assume you're immune because you don't run Outlook.
Re:Do not use Outlook, etc. (Score:2)
Using an application that stores it's address book in a different manner at least prevents it from spreading, to some degree, no?
Re:Do not use Outlook, etc. (Score:2)
You are wrong, he said smugly. (Score:1)
I am in fact immune to sobig, because I don't run Outlook, and therefore have no Outlook address book.
So, you are fundamentally incorrect and should not be modded INSIGHTFUL. Moderators take note.
Your link makes the same mistake. It doesn't call people bigots, though.
Do the experiment for real next time instead of constructing a faulty simulation.
Re:You are wrong, he said smugly. (Score:2)
Congratulations; you're horribly, horribly wrong, and were rude about it.
Sobig downloads code from a website and executes it. It copies itself into your startup folder and adds itself to the registry so it will execute every time you log in. It looks on network for open C: shares to infect. It identifies you as being infected to an ICQ address.
After all that (well, after most of it, before some), it
More smugness. (Score:1)
Why are you assuming I'm running windows? Why are you assuming I let random code claw its way out of my firewalls? Why do you think I allow open smb shares to exist in my vicinity?
But you are right, I was rude, because I felt the FUD factor of the original post warranted it.
And incidentally, you should specify which sobig you are talking about. The next one's due out rather soon, and we don't know what it will do yet.
Perhaps it will eve
Re:More smugness. (Score:2)
No, I shouldn't, because you didn't. You were talking about the entire corpus of Sobig. What I should have done is added a "sometimes". I apologize for the omission.
Re:Do not use Outlook, etc. (Score:1)
Sobig - 50% of our mail traffic. (Score:3, Interesting)
We're a small (100 person) company that averages about 4,000 internet emails a week (excluding spam, which adds another 1,500 - 2,500 / wk). Since SoBig we've seen our traffic levels increase 50%. I've had 5,700 + SoBig mails since the start of the outbreak.
This isn't a problem for us (aside from annoying antivirus messages) as our bandwidth and mailservers can easily handle it, but I know some big companies had to shut down their internet-facing mail gateways due to the increase in volume. I suspect the more well-known your domain is, the worse it is.
However, for AOL and Earthlink to blacklist you based on false 'From:' entries is just stupid. Are you sure they've blacklisted you?
Re:Sobig - 50% of our mail traffic. (Score:5, Interesting)
Re:Sobig - 50% of our mail traffic. (Score:2)
http://www.while.homeunix.net/mailstats/ [homeunix.net]
Re:Sobig - 50% of our mail traffic. (Score:1)
Re:Sobig - 50% of our mail traffic. (Score:2)
That's almost exactly the same size as us, but our mailstats show Sobig is 2.03% of our traffic.
I wonder why we have such a huge disparity?
Easy! (Score:1)
Secondly, and more seriously, email providers should have virus scanning on their servers, so even if someone out there is infected, their virus messages are cleaned before the users see it, which will help keep the infection from spreading.
Finally, all end users should be following safe computing practices. This includes making sure that you have up to date virus protection as well as being smart about your email, such as not opening myster
Best fix so far.... (Score:5, Informative)
Re:Best fix so far.... (Score:5, Interesting)
According to Symantec [symantec.com], SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.
This gives you two advantages.
First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.
The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.
Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.
Re:Best fix so far.... (Score:2)
Fucking Spammers (Score:4, Insightful)
Maybe we should just start suing the companies that use Spammers. (Some will deny knowledge of any spamming but ignorance of who is doing your advertising is no excuse IMO.)
Replace SMTP (Score:2)
Re:Replace SMTP (Score:2)
I do, and my news drop email address doesn't get as much spam as you might think. mind you, I get lots of spam in general, but not very much to my news drop
dave
Re:Fucking Spammers (Score:2)
It kills me. My mother is on the lagging end of the computer adoption trend. I'd love to get her to start using email. But how can I explain to her that she's going to have to make work for herself every day, viewing subject titles for legitimate mail that got caught by the filters, and selecting/teaching the baysian filter which email it should have caught, and what email it shouldn't have trashed? And for what, one legitimate email per week?
50 per hour? (Score:1)
One of our users here had his email address in the documentation of a wildly distributed utility - ghostscript. Personaly, he was getting more then 10,000 messages per day.
Block non-FQDN HELO (Score:3, Informative)
Sure, the next virus might be more RFC compliant but it stops this one. We already require FQDN EHLO to reduce spam so sobig didn't make it past our mail server.
As a bonus, sobig seems to connect directly to the recepients MX so simply rejecting the message (as opposed to accepting a message and generating a bounce) reduces the overall impact on the network.
If you don't HELO with a FQDN then you aren't "speaking" SMTP so don't expect my SMTP server to communicate with you.
If you are running a corporate network where users shouldn't be making direct SMTP connections, filter outbound port 25 and use an IDS/log checking to see if someone inside has gotten infected.
Re:Block non-FQDN HELO (Score:2, Informative)
It could indeed be a very bad thing to block mail when the user doesn't HELO with an FQDN, as many mail clients including, I believe, Outlook, HELO as ot
Re:Block non-FQDN HELO (Score:3, Informative)
3.6 Domains
The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1
Unless your computer's netbios name is something like [12.34.56.78] then it probably fails to meet every possible
Re:Block non-FQDN HELO (Score:4, Informative)
As for Outlook or any other mail CLIENT, you should be using SMTP AUTH. If they are NOT authenticated, don't come from the local network, then you shouldn't have any problem blocking bad HELO's that are not FQDN. I use exim rules to do this, but I also maintain a whitelist just in case I run into a moronic company / ISP that refuses to fix their system. Most will.
I also block all HELO's that use an IP address of the hostname. So far this year I have not had any false positives. Most is spam that actually uses MY IP address in the HELO (Of all the nerve!) The RFC's allow IP addresses, reality is that nobody but spammers use them as the HELO hostname.
AOL Blacklisting (Score:2)
I've got the same problem - can't fix from my end (Score:2, Informative)
Re:I've got the same problem - can't fix from my e (Score:1, Insightful)
Re:I've got the same problem - can't fix from my e (Score:1)
Use Message-ID? (Score:3, Interesting)
Re:Use Message-ID? (Score:2)
That's why I said to check the Message-ID in the bounce to make sure it was a message which was sent.
You need to know when you misaddress a message, don't you?
No. I don't. I block bounces.
Re:Use Message-ID? (Score:3, Informative)
Ah, the communications equivalent of Plug-and-Pray.
Re:Use Message-ID? (Score:2)
Easy. (Score:2)
Microsoft free since February, 1997.
Re:Easy. (Score:2)
As big a supported as I am of non-MS systems, I have to say that I'm getting "bounces" for email addresses to my domain that no longer exist and have never used windows. The problem being that the virus uses peoples' address books to find new targets. Because of this, even if you aren't infected, you get affected.
I have emails from around the world telling me that "my email" failed to arrive because it was a virus and the bounce contains the freaking virus itself!
Admins should be setting their systems to
Outlook Virus: Get it right (Score:1)
Email Virus: Get it right (Score:5, Informative)
It uses a efficent multi-threaded internal mail engine that uses any available mail addresses it can find on your system (browser cache, address book -- which Domino will register itself as too, etc).
It spreads because people are generally stupid and will open up attachments.
Outlook is not needed. It can even spread if you are using webmail.
Wouldn't they filter on IP rather than the from? (Score:1)
If they're filtering you, double check you're not infected with it perhaps? (And you're not an open relay and all those other normal things.) (You do virus scan incoming and outgoing emai
MailScanner, Clam, and SpamAssassin (Score:1)
Price? Zero. Zip. Nada. Clam Antivirus is free, as are the other two programs. Can't beat it. I can't understand why people spend hundreds of dollars on spam and virus programs when this is so effective. Spread the word
Clam's not a bad choice (Score:1)
Clam is also not the most resource efficient or scalable AV solut
Re:Clam's not a bad choice (Score:2)
I think you'll find that 90% of those are so old (e.g. not being able to run under Win95+, or work by infecting things that are now absent in Windows, etc.) that you needn't worry about them.
The number of signatures in an AV database isn't really the issue. It's whether it's up to date with the current ones that counts.
True, clam doesn't do polymorphic checks and stuff, but how many times have you seen a virus blocked by a polymophic check? Once? Twice in a millio
Re:Clam's not a bad choice (Score:1)
You're quite right that overall count doesn't matter quite as much, however I'd not say that not having old patterns is unimportant. Just because it won't run on NT/2k/XP doesn't mean its not important to protect against. I have customers hitting my mail servers who still run truly ancient Windows versions, and they deserve protection too.
I haven't
Re:Clam's not a bad choice (Score:2)
Well, considering that Clam's virus database is a text file, and it comes with a tool to generate signatures for whatever files you'd like to see blocked...
What I do ... (Score:3, Interesting)
Now, once the SoBig hit, I made a seperate rule to catch just those files. No notifications were sent. It parked them for 4 days then deleted them. In that time, I've written a small script** that parses the header of all parked files every morning at 7:45am. It grabs the IP# of the originating computer and tosses it into a spreadsheet. Once it has done all parked messages, it tally's them up and sorts them by the most common appearing numbers. Then, when I get in at 8am, I do a WhoIs [arin.net] lookup on the IP as well as an nslookup. I try and contact the owner of the netblock and notify them that they have a computer infected with SoBig on their network and it is attacking us. I have yet to have anyone that hasn't co-operated fully (though, Comcast took a bit of prodding). My worst case was a 3 day period where a single cable modem user in Philadelphia on Comcast.net sent us ~13,000 Sobigs a day. Just this morning I had to contact an ISP/Network Security company in NYC to have a machine there cleaned.
I know it's not my responsibility to see that other people clean their machines, but it is affecting our productivity at work. At the height of the infestation, we were receiving over 28,000 SoBig viruses a day. At ~100Kb each, it was causing massive delays in the mail queue. Keep in mind that most people don't even realize they are infected with it, so they need to be notified so that they can clean it.
-Ab
ps. The script is fairly simple because the built in mail transfer agent in the SoBig is basic (Though I was impressed at the spoofed header-field, X-MailScanner: Found to be clean, that says it's been checked by SpamAssasin(?) and is not Spam. If anyone is interested in the script (it is a VB executable, but I can send the source code or psuedo-code so it can be recreated in perl/python) let me know.
Make your mail server robust (Score:2, Interesting)
SMTP port redirection (Score:2)