New wiki page

[Glenn Steen]

2009/7/1 Steve Freegard <steve.freegard at fsl.com>:
> Kevin Miller wrote:
>>> What happens if you get a mass mailer worm on your network or a
>>> compromised computer that starts churning out spam? Far more
>>> red faces that way.
>>
>> I wouldn't expect a mass mailer to channel the mail through a
>> smart host - they're most likely geared to send directly.
>>
>
> It's more likely to send directly; but I have seen smart hosts abused as
> well - it depends of the configuration of the PC and the software used
> (e.g. if Outlook Express is configured to use a smart host, then the
> worm will most likely use the same).
>
> Anyone running a private network should:
>
> - Always run your mail server on a dedicated IP address that is not used
> within a NAT pool.  This prevents your mail server from being
> blacklisted due to compromised hosts.
>
> - Configure firewalls to deny outbound SMTP traffic by default for NAT
> ranges (and if possible send alerts if a host sends multiple attempts;
> this can be used to detect compromised machines).

I wouldn't limit myself to only deny outgoing mail from NAT ranges....
I explicitly only allow the MailScanner gateways out through the
firewall. Not exchange, not some pesky "I-want-to-mail-directly"
server. This way infected machines (whatever that may be) will show up
pretty quickly;-).

> - Inspect outbound SMTP traffic for obvious spam signs and reject it
> before queuing (e.g. as per my last mail:  URIBL_*, DCC, RAZOR2, PYZOR,
> IXHASH, Bayes, envelope sender from a domain that doesn't belong to you
> etc.).

I actually find MailScanner on the outbound to be enough for me,
although I do see the wisdom of what you're saying. I suppose it all
depends on your circumstances:).

> Regards,
> Steve.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se