New wiki page

[Steve Freegard]

Kevin Miller wrote:
>> What happens if you get a mass mailer worm on your network or a 
>> compromised computer that starts churning out spam? Far more 
>> red faces that way.
> 
> I wouldn't expect a mass mailer to channel the mail through a 
> smart host - they're most likely geared to send directly.
> 

It's more likely to send directly; but I have seen smart hosts abused as
well - it depends of the configuration of the PC and the software used
(e.g. if Outlook Express is configured to use a smart host, then the
worm will most likely use the same).

Anyone running a private network should:

- Always run your mail server on a dedicated IP address that is not used
within a NAT pool.  This prevents your mail server from being
blacklisted due to compromised hosts.

- Configure firewalls to deny outbound SMTP traffic by default for NAT
ranges (and if possible send alerts if a host sends multiple attempts;
this can be used to detect compromised machines).

- Inspect outbound SMTP traffic for obvious spam signs and reject it
before queuing (e.g. as per my last mail:  URIBL_*, DCC, RAZOR2, PYZOR,
IXHASH, Bayes, envelope sender from a domain that doesn't belong to you
etc.).

Regards,
Steve.