> Thanks for the info, John. In our case, I have a server with IIS SMTP installed and > ISA which resides on out perimeter network. All SMTP traffic that enters our > organization from the outside world is routed by our NetScreen 50 firewall to a DMZ > port on the NetScreen (IP address 192.168.100.1), which in turn routes SMTP > traffic to the DMZ NIC on the ISA server, IP address of 192.168.100.2. ISA "thinks" > that its DMZ NIC (192.168.100.2) is the Internet by way of modification to the LAT, > even though it is not. It is here, on the perimeter network, that the SMTP filter > should filter out the "bad" stuff (spam, blocked attachments, bad domains, etc). > Anti-virus on the ISA screener also cleans all email before it ever reaches our > primary Exchange server. I am still scratching my head trying to follow that, but if it works for you, more power to you. > Our last line of defense is the workstation, which also has AV software installed. All > AV definitions are updated hourly. A multilayered defense is the only true defense. :)) > As convoluted as this setup may sound, it works exceptionally well and is very > reliable. Given the stringent path that email must follow to reach an inbox at our > organization, I am not sure how the Outlook vulnerability you mention would allow > spam or an infected message to slip past our current defenses. The problem is that the vulnerabilities themselves allow a virus or spam not to be caught because it changes the format of the message so that when a scanner looks for the correct parts of the message to scan, it is changed. This has to do with mime segments and coding and such. Let me clarify that no known viruses have yet used any of the vulnerabilities, but spammers are using them. One such vulnerability, the Outlook partial vulnerability, is the result of an Outlook setting that will break a outgoing message into multiple smaller messages. What can happen is a user with this setting gets a virus and it starts to send itself to everyone in the address book. As part of the sending, the message is broken into 3 parts and resent as three messages, each one x of 3. The recipient Outlook will recognize that this is multipart and will reassemble them. Well, a normal virus scanner will not catch them because the virus infected attachment has been encoded and broken into 3, thus no longer seen as a attachment but as part of the message itself. > I do like the idea of adding yet an additional layer of security to the above equation > using MX scanning, so that mail is cleaned before it even hits the firewall! I will be > sure to check out the service you mention. We have nothing published yet. Contact me directly for more information. Here is more information on vulnerabilities: ################################################################### Vulnerabilities A vulnerability is a method that people can use to bypass virus scanning. Clearly, this is something that hackers and virus writers like to do. An E-mail that takes advantage of a vulnerability may or may not actually contain a virus. By default, Declude Virus will catch all vulnerabilities as if they were viruses. This has stopped a number of new viruses before virus definitions were available to stop them. False positives are not common, but when they occur almost always turn out to be spam. CLSID Vulnerability: This vulnerability occurs when an E-mail uses a 'CLSID' as an extension. A CLSID is a long string that identifies a certain program (such as Notepad), and using the CLSID instead of a standard file extension will cause Windows to use the program identified by the CLSID to open the file. Windows will not display the CLSID extension, so a file with an innocent name such as "cutedog.jpg" could cause another program to run. Outlook 'Blank Folding' Vulnerability: This vulnerability occurs when there is a line in the headers with just a single space or a single tab character. Outlook can treat this as the end of the headers, allowing it to see a virus that is embedded in the headers. There is no legitimate reason for an E-mail to contain a blank line in the headers with a single space or tab (note that it is OK to have a line with a single space or tab in the E-mail body, just not the headers). Outlook 'Boundary Space Gap' Vulnerability: This vulnerability occurs when there is a space or tab in the MIME boundary. This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this. Outlook 'CR' Vulnerability: This vulnerability occurs when an E-mail contains a single 'CR' character within the E-mail headers (as opposed to a 'CR' followed by an 'LF', which is used to end a line in SMTP). Outlook can treat this as the end of the headers, which would allow Outlook to see a virus that was embedded in the headers. There is no legitimate reason for an E-mail to contain a lone 'CR' in the headers. Outlook 'Long Boundary' Vulnerability: This vulnerability occurs when an E-mail has a MIME boundary that is longer than allowed by the RFCs. Outlook may see a virus when a virus scanner will not. There is no legitimate reason for an E-mail to be sent like this. Outlook 'MIME header' Vulnerability: This vulnerability occurs when certain safe MIME types are used, but a potentially dangerous file type is attached. Outlook may execute the attachment automatically, without looking at its file extension. There is no legitimate reason for an E-mail to be sent like this, and a number of viruses use this vulnerability. Outlook 'Space Gap' Vulnerability: This vulnerability occurs when there is a space in one of the MIME headers where there is not normally a space (such as "Content-Type :" instead of "Content-Type:"). This is not RFC-compliant, but Outlook will treat it as valid and be able to see a virus that virus scanners will not usually see. There is no legitimate reason for an E-mail to be formed like this. Partial (Fragmented) Vulnerability: This vulnerability occurs when one E-mail is split into separate parts, each in a separate E-mail. Although this is legal, it will bypass virus scanners, and therefore will likely soon be deprecated. #################################################################### John Tolmachoff MCSE, CSSA IT Manager, Network Engineer RelianceSoft, Inc. Fullerton, CA 92835 www.reliancesoft.com