New wiki page
glenn.steen at gmail.com
Thu Jul 2 08:44:04 IST 2009
2009/7/1 Steve Freegard <steve.freegard at fsl.com>:
> Kevin Miller wrote:
>>> What happens if you get a mass mailer worm on your network or a
>>> compromised computer that starts churning out spam? Far more
>>> red faces that way.
>> I wouldn't expect a mass mailer to channel the mail through a
>> smart host - they're most likely geared to send directly.
> It's more likely to send directly; but I have seen smart hosts abused as
> well - it depends of the configuration of the PC and the software used
> (e.g. if Outlook Express is configured to use a smart host, then the
> worm will most likely use the same).
> Anyone running a private network should:
> - Always run your mail server on a dedicated IP address that is not used
> within a NAT pool. This prevents your mail server from being
> blacklisted due to compromised hosts.
> - Configure firewalls to deny outbound SMTP traffic by default for NAT
> ranges (and if possible send alerts if a host sends multiple attempts;
> this can be used to detect compromised machines).
I wouldn't limit myself to only deny outgoing mail from NAT ranges....
I explicitly only allow the MailScanner gateways out through the
firewall. Not exchange, not some pesky "I-want-to-mail-directly"
server. This way infected machines (whatever that may be) will show up
> - Inspect outbound SMTP traffic for obvious spam signs and reject it
> before queuing (e.g. as per my last mail: URIBL_*, DCC, RAZOR2, PYZOR,
> IXHASH, Bayes, envelope sender from a domain that doesn't belong to you
I actually find MailScanner on the outbound to be enough for me,
although I do see the wisdom of what you're saying. I suppose it all
depends on your circumstances:).
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se
More information about the MailScanner