I block everything that isn't going to a specific SMTP server. The few
virus that I've seen have all used SMTP servers that are not normally
used by the company. (Hard coded into the virus?) In fact, I've
noticed two infections based on my outgoing SMTP logs before the user
saw them. ("Tom, When was the last time you updated your virus
scanner?" " I don't know Dave, Why?")
Blocking Port 25 will not affect anyone using POP. It will affect
outgoing mail, not incoming.
Not knowing what you're using for firewall/router, I can't give specific
examples.
You may want to consider setting up an SMTP proxy machine that accepts
everyone's e-mail and scans it before forwarding it to the outside world.
DISCLAIMER: I'VE NEVER ACTUALLY DONE WHAT I'M ABOUT TO SUGGEST: You
should be able to transparently redirect port 25 traffic to the SMTP
proxy using Linux IPTables. (Redirect all port 25 traffic to your
proxy.) I'm sure you can do the same thing with other
firewalls/routers. This will also redirect all virus generated e-mail
as well. A proxy built from Postfix + Amavis-New + ClamAV should be
able to scan mail before it leaves the building, stop all mail
containing viruses and flag the appropriate admins. I'm pretty sure
Postfix can also rate limit outgoing mail as a last line of defense in
case something does get past the virus scanning, again flagging admins
when it occurs.
Hope this helps
David Nichols
Erdahl, Larry E wrote:
Over the past month we've been blacklisted by Spamhaus several times
because of infected workstations and laptops (contractors and
consultants) sending out mass mailings.
My management doesn't want to block port 25 because we have a handful of
physicians who are using POP mail. Does anyone know of an IDS, IPS,
firewall, router ACLs, etc... that will block outgoing SMTP traffic,
based on abnormal traffic volume?
Thanks in advance!
Larry E. Erdahl
IS Security Specialist
Allina Hospital & Clinics
Office (612)775-1273
Cell (612)804-7324
larry.erdahl@allina.com
This message contains information that may be confidential and privileged.
Unless you are the addressee (or authorized to receive for the addressee), you
may not use, copy or disclose to anyone the message or any information
contained in the message. If you have received the message in error, please
advise the sender by reply e-mail and delete the message.
--
"The problem is that, when we begin to realize the potential goodness in ourselves,
we often take our discovery much too seriously. We might kill for goodness or die for
goodness; we want it so badly. What is lacking is a sense of humor. Humor here does not
mean telling jokes or being comical or criticizing others and laughing at them. A genuine
sense of humor is having a light touch: not beating reality into the ground but
appreciating reality with a light touch. The basis of Shambhala vision is rediscovering
that perfect and real sense of humor, that light touch of appreciation."
Shambhala - The Sacred Path of the Warrior
