Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security Spam

Defending Your Mail Server? 72

Posted by Cliff from the battening-down-the-hatches dept.
soren42 asks: "I've been a casualty of war in the latest round of SoBig battles. Apparently, some of my user's e-mail addresses were in the address books of infected Outlook clients, and spam is now being circulated appearing to come from my domain. I'm getting almost 50 'Message Undeliverable' errors per hour, and I think I've been blacklisted from AOL and Earthlink. I know there are plenty of you are having this problem - how are you dealing with it?" Email viruses, once urban legends, have now become a real threat to certain people. What active measures can users (both vulnerable and non-vulnerable to such things) take to lower the propagation rate of such viruses across the internet?
This discussion has been archived. No new comments can be posted.

Defending Your Mail Server? More

Defending Your Mail Server?

Comments Filter:
  • I think I've been blacklisted from AOL and Earthlink.

    You're complaining about this?

    In all seriousness, if you're getting blacklisted because of Sobig mails, then you're really better off without dealing with those people.
    • AOL is a complete bitch when it comes to blacklisting servers without cause.

      For some fun, and hours of free muzac, call and try to walk them through whitelisting a server that's in a blacklisted ip block. Be sure to use "big words" like "SMTP" and "whitelist." (Preparing a TCP/IP firewall example that involves cartoon characters might help you get results sooner.)
  • The real solution to this problem is built-in virus filtering (with hourly updates). Every pieve of mail going through our server is spam and virus checked. The result? about 50000 blocked virus-emails since August 16th this year, and not a single problem with our users. And the cost is only a few hundred bucks per year.
    • No, you don't understand. People at our (well my) site didn't get sobig as we were filtering. However, others who get it have our users in their address books, and the sobig gets sent out with one of those emails address in the "from" field.

      So our users get bouncebacks from non-valid emails, virus and filtering software that really aren't valid.
      • This is a problem for me as well (as a user). I happen to have a couple of job duties that make me on a lot of email books. I get message undeliverable bounces all the time. I filter it at the client level(with Mozilla), and I am quite happy with that.

        -Sean
      • Oh I see. Well really that means whatever anti-virus software is sending bounces is broken, because Sobig forges From: addresses. However I've never heard of someone getting blacklisted because of this?
      • There is actually a way to block this kind of thing using procmail and a copy of a valid message sent by the user or some information from their mail program settings. Here is why:

        - The bounce back messages will always contain an SMTP status code like 5.1.1 (for user unknown).

        - If the message that caused the bounce back really originated from the user, then the bounce back message will contain the user's Display Name as set in his or her email program (often Outlook Express). The display name can also b

      • Here's some procmail filters that will at least help. They won't catch everything, but do make a big difference.

        #1 -- this will catch anything with the "MailScanner" header that sobig uses.
        #del sobig worms & sobig worm notifications :0h:
        * ^X-MailScanner\: Found to be clean$
        * ^X-Mailer: Microsoft Outlook
        #/dev/null
        $BACK/sobig_worms

        #2
        This one moves ALL bounces to a specific address (help@domain.com) to a folder.
        Note that this is not a very good idea, but is helpful if you have 1 or 2 addresses that are r
    • Hi -

      How about a pointer to the filtering/spam blocking service you have in place. I would like to get this for my server.

      Yours,

      Jordan
  • But I'm not sure about blacklisting -- perhaps we have been blacklisted by Yahoo come to think of it. I work for a television station and a lot of our on-air talent get 50+ a day.

  • Do not use Outlook, etc. (Score:3, Interesting)

    by PeteyG ( 203921 ) on Friday September 05, 2003 @03:50PM (#6882311) Homepage Journal
    My friend was complaining about getting spam and viruses yesterday, so I told him where to get Thunderbird. He wasn't very tech-savvy, but with a few words of help from me he was up and running in a matter of minutes.

    Seriously. Pushing non Microsoft email clients on your users (politely, anyways) is the way to go.

    • Re:Do not use Outlook, etc. (Score:4, Informative)

      by questionlp ( 58365 ) on Friday September 05, 2003 @04:24PM (#6882588) Homepage
      Don't forget that there are mail clients (iirc - Eudora is one) that use the HTML rendering component used by IE. Which means that the mail client is just as vulnerable as Outlook Express or Outlook if the user's IE install is not up to date.
      • Yes, that is why you should use Netscape 7+ / Mozilla 1+ / Thunderbird 0.2 for your emails. Both Mozailla nad Thunderbird allows you to disable remote loading of images and or sending/receiving cookies from your email, on top they use the more-standard-complaint Gecko engine to display your HTML emails (and also have HTML to text transcoder extensions for both of them). I am not so sure about Netscape (I don't use that), but AOL might have made them disavle above features. At anyrate no ActiveX crap can mak
        • For my home e-mail, I rarely use a mail client directly under Windows anyway. I normally SSH into my home server and use Mutt. If need be, I'll use Mozilla Mail or Sylpheed for Windows. I already have my mother using Mozilla for both her e-mail and web browsing and hid both IE and Outlook Express on her machine.

          I live the ability to block remote images in Mozilla Mail... of course that is something that I don't have to worry about when using Mutt ;)

    • Re:Do not use Outlook, etc. (Score:5, Insightful)

      by Matts ( 1628 ) on Friday September 05, 2003 @06:43PM (#6883898) Homepage
      This is a common misconception by geeks who are smug because they didn't get infected with Sobig.

      Sobig didn't use any exploits. It was just a plain old .EXE attached to an email. Outlook prompted the user when they tried to run it telling them that exes often contain viruses. But they still ran it.

      This behaviour is the same in Thunderbird and other windows mail clients. It's even the same [perl.org] in Apple's Mail.app.

      Don't be a bigot and assume you're immune because you don't run Outlook.
      • Doesn't sobig use outlook's address book to spread via email though?

        Using an application that stores it's address book in a different manner at least prevents it from spreading, to some degree, no?
      • Sobig exploits the known location of the Outlook address book, and uses that as a source of addresses for both target and false-source.

        I am in fact immune to sobig, because I don't run Outlook, and therefore have no Outlook address book.

        So, you are fundamentally incorrect and should not be modded INSIGHTFUL. Moderators take note.

        Your link makes the same mistake. It doesn't call people bigots, though.

        Do the experiment for real next time instead of constructing a faulty simulation.
        • I am in fact immune to sobig, because I don't run Outlook, and therefore have no Outlook address book.

          Congratulations; you're horribly, horribly wrong, and were rude about it.

          Sobig downloads code from a website and executes it. It copies itself into your startup folder and adds itself to the registry so it will execute every time you log in. It looks on network for open C: shares to infect. It identifies you as being infected to an ICQ address.

          After all that (well, after most of it, before some), it

          • You're immune to one part of it. You're not immune to the rest.

            Why are you assuming I'm running windows? Why are you assuming I let random code claw its way out of my firewalls? Why do you think I allow open smb shares to exist in my vicinity?

            But you are right, I was rude, because I felt the FUD factor of the original post warranted it.

            And incidentally, you should specify which sobig you are talking about. The next one's due out rather soon, and we don't know what it will do yet.

            Perhaps it will eve

            • And incidentally, you should specify which sobig you are talking about.

              No, I shouldn't, because you didn't. You were talking about the entire corpus of Sobig. What I should have done is added a "sometimes". I apologize for the omission.
      • Can I just be a bigot and assume win32 based executables won't exec on linux? ;)

  • Sobig - 50% of our mail traffic. (Score:3, Interesting)

    by MightyTribble ( 126109 ) on Friday September 05, 2003 @03:52PM (#6882345)

    We're a small (100 person) company that averages about 4,000 internet emails a week (excluding spam, which adds another 1,500 - 2,500 / wk). Since SoBig we've seen our traffic levels increase 50%. I've had 5,700 + SoBig mails since the start of the outbreak.

    This isn't a problem for us (aside from annoying antivirus messages) as our bandwidth and mailservers can easily handle it, but I know some big companies had to shut down their internet-facing mail gateways due to the increase in volume. I suspect the more well-known your domain is, the worse it is.

    However, for AOL and Earthlink to blacklist you based on false 'From:' entries is just stupid. Are you sure they've blacklisted you?
  • First of all, use software that is more secure that microsoft's.

    Secondly, and more seriously, email providers should have virus scanning on their servers, so even if someone out there is infected, their virus messages are cleaned before the users see it, which will help keep the infection from spreading.

    Finally, all end users should be following safe computing practices. This includes making sure that you have up to date virus protection as well as being smart about your email, such as not opening myster

  • Best fix so far.... (Score:5, Informative)

    by hawkbug ( 94280 ) <psx@fWELTYimble.com minus author> on Friday September 05, 2003 @03:58PM (#6882394) Homepage
    The best fix I have found so far is to analyze all those "fake" messages, appearing to come from you to other people, and even the messages flooding into some of your user's inboxes. I found that that I was getting about 200+ messages an hour, to several mailboxes. The good thing I discovered about these is that they call came from the same cable modem-based ip address. So, the easy and obvious solution - add the ip to /etc/hosts.deny. Also, add the ip to your firewall to get denied, and to /etc/mail/access. Even if you don't use Linux (sendmail more specifically) for your mail server, you can also block incoming traffic in Exchange 2K. We did that as well. Soon after I did that, the generic bounce back messages stopped, and all was well again.

    • Re:Best fix so far.... (Score:5, Interesting)

      by shamino0 ( 551710 ) on Friday September 05, 2003 @05:13PM (#6883076) Journal
      In the case of SoBig, you've got an advantage that you don't necessarily get from other worms.

      According to Symantec [symantec.com], SoBig uses its own SMTP engine to propagate. And according to my analyses of the headers, it appears that it attempts direct-to-MX sending.

      This gives you two advantages.

      First off, it means that the first Received: header in the mail will contain the IP address of the infected machine. This will give you enough information to inform the ISP (who can then inform his customer) if you're so inclined. Or at minimum, you have an address you can temporarily block until the storm dies down.

      The second advantage is that you can keep it from spreading beyond your own network if you block your customers from port 25 (and force them to send all mail through your mail server.) While this may annoy a few customers, most probably won't even notice, and it will keep any infected customers from spreading the virus to the rest of the world.

      Unfortunately, there's nothing you can do about all the bounces caused by other people that are spewing the virus with forged headers. I found that (for myself, anyway), the easiest way is to mark the bounces as spam with Mozilla, and let the Baysian filtering move them out of my way. But this doesn't do much good if you're looking to protect a mail server.

      • Yes, that's a great idea about keeping port 25 blocked for all machines except the mail servers. Just think - if everybody did that, this worm would have been dead right out the door.

  • Fucking Spammers (Score:4, Insightful)

    by Goo.cc ( 687626 ) * on Friday September 05, 2003 @04:00PM (#6882403)
    The usefulness of E-Mail is slowly being destroyed by Spammers. There has been a few times now that I couldn't either send or receive an e-mail because of blackholes and I get more spam everyday. Is there anything new on the horizon to prevent spam? Laws, Filters, Blackholes, and Whitelists seem unable to do anything about this problem.

    Maybe we should just start suing the companies that use Spammers. (Some will deny knowledge of any spamming but ignorance of who is doing your advertising is no excuse IMO.)
    • I really don't think the problem will ever go away until SMTP is replaced with something that requires validation, etc. The problem is that SMTP (and many other standard protocols that have been around for many years) were pretty much designed with the assumption that all users would "play nice". Remember NNTP (news) "Netiquette" that said to put your email in each post you make? Who does that anymore?
      • Remember NNTP (news) "Netiquette" that said to put your email in each post you make? Who does that anymore?

        I do, and my news drop email address doesn't get as much spam as you might think. mind you, I get lots of spam in general, but not very much to my news drop

        dave

    • It kills me. My mother is on the lagging end of the computer adoption trend. I'd love to get her to start using email. But how can I explain to her that she's going to have to make work for herself every day, viewing subject titles for legitimate mail that got caught by the filters, and selecting/teaching the baysian filter which email it should have caught, and what email it shouldn't have trashed? And for what, one legitimate email per week?
  • You lucky bastard.

    One of our users here had his email address in the documentation of a wildly distributed utility - ghostscript. Personaly, he was getting more then 10,000 messages per day.

  • Block non-FQDN HELO (Score:3, Informative)

    by linuxwrangler ( 582055 ) on Friday September 05, 2003 @04:02PM (#6882423)
    RFC2821 requires the HELO/EHLO to be fully qualified. Most (all??) sobig EHLO with the Windows netbios name.

    Sure, the next virus might be more RFC compliant but it stops this one. We already require FQDN EHLO to reduce spam so sobig didn't make it past our mail server.

    As a bonus, sobig seems to connect directly to the recepients MX so simply rejecting the message (as opposed to accepting a message and generating a bounce) reduces the overall impact on the network.

    If you don't HELO with a FQDN then you aren't "speaking" SMTP so don't expect my SMTP server to communicate with you.

    If you are running a corporate network where users shouldn't be making direct SMTP connections, filter outbound port 25 and use an IDS/log checking to see if someone inside has gotten infected.

    • Re:Block non-FQDN HELO (Score:2, Informative)

      by mrex ( 25183 )
      Unfortunately, also according to RFC 2821, a mail server must not reject a message based on the contents of the HELO/EHLO. I break RFC and reject the message only when the user tries to HELO as the IP/hostname of our mail server as this is naught but a spammer tactic to try and get messages whitelisted. (Older SpamAssassins will whitelist based on HELO...)

      It could indeed be a very bad thing to block mail when the user doesn't HELO with an FQDN, as many mail clients including, I believe, Outlook, HELO as ot
      • Um, not exactly. It actually says that you must not reject a message just because the EHLO doesn't resolve to the connecting IP. You can't even get that far if you violate section 3.6:

        3.6 Domains ...
        The domain name given in the EHLO command MUST BE either a primary host name (a domain name that resolves to an A RR) or, if the host has no name, an address literal as described in section 4.1.1.1

        Unless your computer's netbios name is something like [12.34.56.78] then it probably fails to meet every possible

      • Re:Block non-FQDN HELO (Score:4, Informative)

        by walt-sjc ( 145127 ) on Friday September 05, 2003 @09:58PM (#6884956)
        What you are not supposed to do is reject AT the HELO. It's perfectly fine to reject at RCPT (which is the best spot since it universally works with all MTA's.)

        As for Outlook or any other mail CLIENT, you should be using SMTP AUTH. If they are NOT authenticated, don't come from the local network, then you shouldn't have any problem blocking bad HELO's that are not FQDN. I use exim rules to do this, but I also maintain a whitelist just in case I run into a moronic company / ISP that refuses to fix their system. Most will.

        I also block all HELO's that use an IP address of the hostname. So far this year I have not had any false positives. Most is spam that actually uses MY IP address in the HELO (Of all the nerve!) The RFC's allow IP addresses, reality is that nobody but spammers use them as the HELO hostname.

  • AOL blocks e-mail from servers that come from the mail servers of customers that use comcast, AT&T BroadBand, RoadRunner, and other broadband companies. I guess spammers were just setting up broadband accounts and spamming from them. Which is probably better than just exploiting insecure mail servers of unsuspecting victoms. But never the less, it has nothing to do with any sort of "email attack" or the like.
  • nobody in my network (me and my wife) use outlook, and we're tucked safely behind a firewall. I've added about 10 DSL ips to my blacklist, but there is nothing I can do to prevent the spoofed outgoing messages from some other network. I'm still getting bounced email 'returned' to me that I never sent.

  • Use Message-ID? (Score:3, Interesting)

    by anthony_dipierro ( 543308 ) on Friday September 05, 2003 @04:15PM (#6882520) Journal
    Can't sendmail be set up to check the Message-ID and make sure that it is an ID which was actually sent? Alternatively, just block "Message Undeliverable" messages.
  • "how are you dealing with it?"

    Microsoft free since February, 1997.

    • As big a supported as I am of non-MS systems, I have to say that I'm getting "bounces" for email addresses to my domain that no longer exist and have never used windows. The problem being that the virus uses peoples' address books to find new targets. Because of this, even if you aren't infected, you get affected.

      I have emails from around the world telling me that "my email" failed to arrive because it was a virus and the bounce contains the freaking virus itself!

      Admins should be setting their systems to

  • This virus is a MS Outlook virus, not an email virus. If you made your users use an actually secure email program, you wouldn't have these problems. Something like Novell Groupwise or Lotus Domino would work.

    • Email Virus: Get it right (Score:5, Informative)

      by cmowire ( 254489 ) on Friday September 05, 2003 @07:58PM (#6884391) Homepage
      Actually, it's an email virus, not an Outlook virus.

      It uses a efficent multi-threaded internal mail engine that uses any available mail addresses it can find on your system (browser cache, address book -- which Domino will register itself as too, etc).

      It spreads because people are generally stupid and will open up attachments.

      Outlook is not needed. It can even spread if you are using webmail.
  • I would imagine (well, hope) that ComCast and AOL are filtering by IP Address rather than by domain from. (Either the From: header or the SMTP sender.) I'm hope the mail admins there know full well that from addresses in email are trivially faked. (And usually are in the case of spam and today's mass-mailing viruses.)

    If they're filtering you, double check you're not infected with it perhaps? (And you're not an open relay and all those other normal things.) (You do virus scan incoming and outgoing emai
  • I run the three systems above (they all interact) on my server, and just on my personal account I've been filtering out 150 spam messages a day. Hundreds of viruses are being wiped on a daily basis.

    Price? Zero. Zip. Nada. Clam Antivirus is free, as are the other two programs. Can't beat it. I can't understand why people spend hundreds of dollars on spam and virus programs when this is so effective. Spread the word :-)
    • Clam's a nice engine and all, but look at the total number of viruses it recognizes. As of right this moment, its 9568 when using viruses.db and viruses.db2. The less than stellar commercial solution I use for now (rav antivirus) has definitions for just shy of 69K. That's a large difference. Better commercial engines include even more, along with sophisticated code for catching polymorphic viruses and as yet unseen variants of older viruses.

      Clam is also not the most resource efficient or scalable AV solut

      • > has definitions for just shy of 69K

        I think you'll find that 90% of those are so old (e.g. not being able to run under Win95+, or work by infecting things that are now absent in Windows, etc.) that you needn't worry about them.

        The number of signatures in an AV database isn't really the issue. It's whether it's up to date with the current ones that counts.

        True, clam doesn't do polymorphic checks and stuff, but how many times have you seen a virus blocked by a polymophic check? Once? Twice in a millio
        • Actually, I've seen a few lately from the polymorphic checks, and even more from the so-called heuristics that RAV has that detect new variants of old viruses.

          You're quite right that overall count doesn't matter quite as much, however I'd not say that not having old patterns is unimportant. Just because it won't run on NT/2k/XP doesn't mean its not important to protect against. I have customers hitting my mail servers who still run truly ancient Windows versions, and they deserve protection too.

          I haven't

  • What I do ... (Score:3, Interesting)

    by Abm0raz ( 668337 ) on Monday September 08, 2003 @02:57PM (#6902634) Journal
    I work for a medium sized Engineering & Telecommunications firm (>500 employees all over the east coast). I have a mail filter set up on an intermediate MTA to catch all executable files. This includes .PIF, .BAT, .SCR, .EXE, .COM, etc. When a file of this type comes in, it is parked in a holding folder for 7 days. A notification message is sent to the recipient and back to the sender (I, know this sucks, but bear with me a second) with instructions on how to send another email back with a release code in the subject. When the message with the release code is received by the MTA, it continues delivering the original email to our actual mail server. If no message is received in 7 days, the original mail is deleted.

    Now, once the SoBig hit, I made a seperate rule to catch just those files. No notifications were sent. It parked them for 4 days then deleted them. In that time, I've written a small script** that parses the header of all parked files every morning at 7:45am. It grabs the IP# of the originating computer and tosses it into a spreadsheet. Once it has done all parked messages, it tally's them up and sorts them by the most common appearing numbers. Then, when I get in at 8am, I do a WhoIs [arin.net] lookup on the IP as well as an nslookup. I try and contact the owner of the netblock and notify them that they have a computer infected with SoBig on their network and it is attacking us. I have yet to have anyone that hasn't co-operated fully (though, Comcast took a bit of prodding). My worst case was a 3 day period where a single cable modem user in Philadelphia on Comcast.net sent us ~13,000 Sobigs a day. Just this morning I had to contact an ISP/Network Security company in NYC to have a machine there cleaned.

    I know it's not my responsibility to see that other people clean their machines, but it is affecting our productivity at work. At the height of the infestation, we were receiving over 28,000 SoBig viruses a day. At ~100Kb each, it was causing massive delays in the mail queue. Keep in mind that most people don't even realize they are infected with it, so they need to be notified so that they can clean it.

    -Ab

    ps. The script is fairly simple because the built in mail transfer agent in the SoBig is basic (Though I was impressed at the spoofed header-field, X-MailScanner: Found to be clean, that says it's been checked by SpamAssasin(?) and is not Spam. If anyone is interested in the script (it is a VB executable, but I can send the source code or psuedo-code so it can be recreated in perl/python) let me know.
  • Many of these viruses rely on the ability to act as a SMTP server on each infected machine, effectively bypassing any AV checks done on their users' MTA. To combat this I personally recommend redirecting tcp/25 (smtp and esmtp) and tcp/587 (mail submission) ports from you users/customer subnets at your border router to your MTA. That way you can force all SMTP traffic to be AV checked. Now this does prevent your users/customers from using an outside MTA. Most properly configured MTAs will reject these r

Slashdot Top Deals

If a thing's worth doing, it is worth doing badly. -- G.K. Chesterton

Close