RE: SMTP Email Filtering - Our Config for those interested (was RE: ISA FP1 does NOT fix the SMTP Filter)
- From: "John Tolmachoff" <isalist@xxxxxxxxxxxx>
- To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 15 Jan 2003 09:33:19 -0800
> Thanks for the info, John. In our case, I have a server with IIS SMTP
installed and
> ISA which resides on out perimeter network. All SMTP traffic that enters
our
> organization from the outside world is routed by our NetScreen 50 firewall
to a DMZ
> port on the NetScreen (IP address 192.168.100.1), which in turn routes
SMTP
> traffic to the DMZ NIC on the ISA server, IP address of 192.168.100.2. ISA
"thinks"
> that its DMZ NIC (192.168.100.2) is the Internet by way of modification to
the LAT,
> even though it is not. It is here, on the perimeter network, that the SMTP
filter
> should filter out the "bad" stuff (spam, blocked attachments, bad domains,
etc).
> Anti-virus on the ISA screener also cleans all email before it ever
reaches our
> primary Exchange server.
I am still scratching my head trying to follow that, but if it works for
you, more power to you.
> Our last line of defense is the workstation, which also has AV software
installed. All
> AV definitions are updated hourly.
A multilayered defense is the only true defense. :))
> As convoluted as this setup may sound, it works exceptionally well and is
very
> reliable. Given the stringent path that email must follow to reach an
inbox at our
> organization, I am not sure how the Outlook vulnerability you mention
would allow
> spam or an infected message to slip past our current defenses.
The problem is that the vulnerabilities themselves allow a virus or spam not
to be caught because it changes the format of the message so that when a
scanner looks for the correct parts of the message to scan, it is changed.
This has to do with mime segments and coding and such. Let me clarify that
no known viruses have yet used any of the vulnerabilities, but spammers are
using them. One such vulnerability, the Outlook partial vulnerability, is
the result of an Outlook setting that will break a outgoing message into
multiple smaller messages. What can happen is a user with this setting gets
a virus and it starts to send itself to everyone in the address book. As
part of the sending, the message is broken into 3 parts and resent as three
messages, each one x of 3. The recipient Outlook will recognize that this is
multipart and will reassemble them. Well, a normal virus scanner will not
catch them because the virus infected attachment has been encoded and broken
into 3, thus no longer seen as a attachment but as part of the message
itself.
> I do like the idea of adding yet an additional layer of security to the
above equation
> using MX scanning, so that mail is cleaned before it even hits the
firewall! I will be
> sure to check out the service you mention.
We have nothing published yet. Contact me directly for more information.
Here is more information on vulnerabilities:
###################################################################
Vulnerabilities
A vulnerability is a method that people can use to bypass virus scanning.
Clearly, this is something that hackers and virus writers like to do. An
E-mail that takes advantage of a vulnerability may or may not actually
contain a virus. By default, Declude Virus will catch all vulnerabilities as
if they were viruses. This has stopped a number of new viruses before virus
definitions were available to stop them. False positives are not common, but
when they occur almost always turn out to be spam.
CLSID Vulnerability: This vulnerability occurs when an E-mail uses a 'CLSID'
as an extension. A CLSID is a long string that identifies a certain program
(such as Notepad), and using the CLSID instead of a standard file extension
will cause Windows to use the program identified by the CLSID to open the
file. Windows will not display the CLSID extension, so a file with an
innocent name such as "cutedog.jpg" could cause another program to run.
Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there
is a line in the headers with just a single space or a single tab character.
Outlook can treat this as the end of the headers, allowing it to see a virus
that is embedded in the headers. There is no legitimate reason for an E-mail
to contain a blank line in the headers with a single space or tab (note that
it is OK to have a line with a single space or tab in the E-mail body, just
not the headers).
Outlook 'Boundary Space Gap' Vulnerability: This vulnerability occurs when
there is a space or tab in the MIME boundary. This is not RFC-compliant, but
Outlook will treat it as valid and be able to see a virus that virus
scanners will not usually see. There is no legitimate reason for an E-mail
to be formed like this.
Outlook 'CR' Vulnerability: This vulnerability occurs when an E-mail
contains a single 'CR' character within the E-mail headers (as opposed to a
'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can
treat this as the end of the headers, which would allow Outlook to see a
virus that was embedded in the headers. There is no legitimate reason for an
E-mail to contain a lone 'CR' in the headers.
Outlook 'Long Boundary' Vulnerability: This vulnerability occurs when an
E-mail has a MIME boundary that is longer than allowed by the RFCs. Outlook
may see a virus when a virus scanner will not. There is no legitimate reason
for an E-mail to be sent like this.
Outlook 'MIME header' Vulnerability: This vulnerability occurs when certain
safe MIME types are used, but a potentially dangerous file type is attached.
Outlook may execute the attachment automatically, without looking at its
file extension. There is no legitimate reason for an E-mail to be sent like
this, and a number of viruses use this vulnerability.
Outlook 'Space Gap' Vulnerability: This vulnerability occurs when there is a
space in one of the MIME headers where there is not normally a space (such
as "Content-Type :" instead of "Content-Type:"). This is not RFC-compliant,
but Outlook will treat it as valid and be able to see a virus that virus
scanners will not usually see. There is no legitimate reason for an E-mail
to be formed like this.
Partial (Fragmented) Vulnerability: This vulnerability occurs when one
E-mail is split into separate parts, each in a separate E-mail. Although
this is legal, it will bypass virus scanners, and therefore will likely soon
be deprecated.
####################################################################
John Tolmachoff MCSE, CSSA
IT Manager, Network Engineer
RelianceSoft, Inc.
Fullerton, CA 92835
www.reliancesoft.com
Other related posts:
