sobig virus

[Antony Stone]

On Thursday 21 August 2003 5:31 pm, Joe Stuart wrote:

> In our setup we have a server running Sendmail, Mailscanner, SA and
> f-prot that has a MX value of 10. Mail is recieved on that server and
> then transports it to a groupwise server that delivers it to the
> clients. The groupwise server was in the DNS with a MX value of 100 that
> I had no idea about.  Since it appeared that mail was coming in without
> being scanned we went in and closed the groupwise server off to the
> outside world. Then the viruses stopped coming in.  If there are any
> suggestions on how things could be setup better I'm open to ideas

Well, apart from removing the MX record pointing directly at the groupwise 
server, I would set up the firewall (your groupwise server *is* behind a 
firewall, isn't it?) so that it cannot be contacted directly from the outside 
world in any case.

People scan the Internet all the time for web servers and mail servers to try 
to break into, relay through, etc., so I would recommend that your firewall 
allows access from outside to the MailScanner machine only (if MS is inside 
the firewall), or else allows access to the groupwise server from the 
MailScanner machine only (if MS is outside the firewall).

Never give the Internet access to anything it shouldn't see - because people 
will find it and investigate it if they can!

Antony.

-- 

Software development can be quick, high-quality, or low-cost.

The customer gets to pick any two out of three.