New wiki page
steve.freegard at fsl.com
Wed Jul 1 18:20:03 IST 2009
Kevin Miller wrote:
>> What happens if you get a mass mailer worm on your network or a
>> compromised computer that starts churning out spam? Far more
>> red faces that way.
> I wouldn't expect a mass mailer to channel the mail through a
> smart host - they're most likely geared to send directly.
It's more likely to send directly; but I have seen smart hosts abused as
well - it depends of the configuration of the PC and the software used
(e.g. if Outlook Express is configured to use a smart host, then the
worm will most likely use the same).
Anyone running a private network should:
- Always run your mail server on a dedicated IP address that is not used
within a NAT pool. This prevents your mail server from being
blacklisted due to compromised hosts.
- Configure firewalls to deny outbound SMTP traffic by default for NAT
ranges (and if possible send alerts if a host sends multiple attempts;
this can be used to detect compromised machines).
- Inspect outbound SMTP traffic for obvious spam signs and reject it
before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR,
IXHASH, Bayes, envelope sender from a domain that doesn't belong to you
More information about the MailScanner