Larry,
I suggest using an SMTP proxy, preferably one that scans for malware,
for all inbound and outbound SMTP traffic. We use McAfee's e500
appliances. All outbound SMTP is blocked at the firewall if it doesn't
originate from our proxy. Worms and such will not use the proxy, but
pre-authorized connections are configured to use it. Some administration
is required to maintain lists of authorized connections, and correctly
configure clients, but it does solve the problem. We gain the added
benefit of perimeter mail virus blocking, spam blocking, attachment and
content filtering, etc..
- Dan
Dan Lynch, CISSP
Information Technology Analyst
County of Placer
Auburn, CA
It is often easier to not do something dumb than it is to do something
smart.
-- Marcus Ranum
"Erdahl, Larry E" <Larry.Erdahl@allina.com> 10/12/2005 8:31:06 AM
Over the past month we've been blacklisted by Spamhaus several times
because of infected workstations and laptops (contractors and
consultants) sending out mass mailings.
My management doesn't want to block port 25 because we have a handful
of
physicians who are using POP mail. Does anyone know of an IDS, IPS,
firewall, router ACLs, etc... that will block outgoing SMTP traffic,
based on abnormal traffic volume?
Thanks in advance!
Larry E. Erdahl
IS Security Specialist
Allina Hospital & Clinics
Office (612)775-1273
Cell (612)804-7324
larry.erdahl@allina.com
This message contains information that may be confidential and
privileged. Unless you are the addressee (or authorized to receive for
the addressee), you may not use, copy or disclose to anyone the message
or any information contained in the message. If you have received the
message in error, please advise the sender by reply e-mail and delete
the message.
