RE: Schedule incoming external mail

  • From: "jh" <jthart@xxxxxxxxxxxxxx>
  • To: exchangelist@xxxxxxxxxxxxx
  • Date: Sun, 22 Aug 2004 01:07:07 -0600

John, thanks to yourself and others for the reply.  In answer to your

1. We do currently block executable attachments but unfortunately this
happens on the mail server.  I'd need to investigate further into blocking
at the firewall.  The third layer of antivirus I mentioned is at the
gateway.  Fortunately we have standardised to a single email client making
policy setting a lot easier.  Although total attachment blocking is too
harsh for our business requirements, I could see potential to ramp this up
either at the firewall (if possible) or using ScanMail attachment

2. Yes, any "unprotected" infected messages have arrived in our early
morning which is exactly why I was looking to temporarily to halt any
external SMTP.  Our day starts in the early morning (3:30am).  Someone
opening there email at this time before the pattern is available could
cause the grief.  However if the pattern arrive a few hours after and the
external SMTP is re-enabled around the 7:00am mark (this is also when IT
is on deck to check av patterns are ok), then this _may_ cover it.  As
I've mention, it is only be a means of reducing exposure.  We can handle
(business wise) halting external incomings for this time so it makes sense
to me, if it can be done, to do it.

3. On a couple of occasions I've had messages come through to myself
(latest Bagle and I can't recall the other one).  I only had to look at it
to see that it was a virus so I set to work to find a scanner that could
pick it up - on one occasion neither Trend or Symantec did.  I then tried
a couple of on-line scanners, again with no success.  I believe running
multiple antivirus is good idea (that's why we're doing it) but it
certainly isn't a cure-all.

We run GFI MailEssentials which goes really well and picks up the odd
infected message, but only because one of the anit-spam policies grab it
out.  In third-party software I was thinking of something similar.  That
is, a bit of software that poses a level of heuristics to determine that
this has the marks of a virus and holds it over until a decision can be
made on it.  Anything like this on the market?

One of the other posters made the point of training of users which is
something I try to strike a balance of letting them know of new virus
while not doing it so often that see it as a "cry wolf".  Considering the
vulnerability of antivirus described I see this as probably the greatest
means of defence.  Our worst "hit" however was the result of someone who
did know better - what do you do!

Thanks again. 

> 1. You need to use software that will not only simply check to see if a
> message is infected, but also to then apply policy, such as banning
> potentially malicious files, such as exe and bat and scr and cmd and so
> forth. If you are also using ISA server, you can do this with the =
> message
> screener.
> 2. The last couple of major outbreaks began in earnest around mid-early =
> to
> mid morning PDT, thus your idea would have done absolutely nothing. =
> (Well,
> maybe since you are down under, but you get the idea.) What about the
> viruses that start in earnest on Sunday night US which would be Monday
> morning on the south side of the planet?=20
> 3. You mentioned third party. Yes, there are third parties that can act =
> as
> the gateway or otherwise known as a front door (not to be confused with =
> a
> front end) that can do all scanning with multiple AV scanners AND =
> protect
> against potentially malicious files as well as Outlook Vulnerabilities. =
> You
> do not hear too much about that, but Outlook Vulnerabilities can be used =
> to
> hide or otherwise full Outlook.
> Much to Steve's chagrin, you can contact me off list for more =
> information on
> third party services. ;)
> John Tolmachoff
> Engineer/Consultant/Owner
> eServices For You
> > -----Original Message-----
> > From: jh [mailto:jthart@xxxxxxxxxxxxxx]
> > Sent: Thursday, August 19, 2004 8:08 PM
> > To: [ExchangeList]
> > Subject: [exchangelist] RE: Schedule incoming external mail
> >=20
> >
> >=20
> > Mark, thanks for your reply.
> >=20
> > I totally agree - this is not an effective means of antivirus =
> protection,
> > its placement would only be a means of reducing exposure.  We run two
> > layers of antivirus (with the third in the pipeline) but it's all
> > meaningless if there is no pattern update, isn't it.  Someone has to =
> be
> > hit by the virus first in order for the antivirus companies to fix it. =
>  I
> > congratulate you on your good fortune in not being hit, and I hope =
> your
> > luck continues.  We have been caught once by an email virus (about 4 =
> years
> > ago, which inspired additional antivirus measures) and, for me, once =
> was
> > quite enough.
> >=20
> > I'm not an Exchange aficionado and I'd be interested in any other =
> options,
> > either built-in or third party that may be available.
> >=20
> > Regards
> >=20
> > ------------------------------------------------------
> > List Archives: =
> > Exchange Newsletters:
> > Exchange FAQ:
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking:
> > Leading Network Software Directory:
> > No.1 ISA Server Resource Site:
> > Windows Security Resource Site:
> > Network Security Library:
> > Windows 2000/NT Fax Solutions:
> > ------------------------------------------------------
> > You are currently subscribed to this Discussion List =
> as:
> > johnlist@xxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > Report abuse to listadmin@xxxxxxxxxxxxxx

Other related posts: