Security Basics: Re: File Catching Firewall?

[Brian Guy <brian () sambizsys com>]

We managed to not get a single MyDoom e-mail with the config below.  
This approach blocks about 95% of our spam overall.
1.  Postfix 2.0 does initial blocks for obvious spam (e.g., DNS 
blacklists for open relays, spoofing our IP in HELO, etc.).  See 
O'Reilly book on Postfix 2.0 for more info.
2.  Advosys Mail Filter filters out dangerous attachments, as defined by 
you.  You decide what file extensions can come through, what gets 
blocked.  We block all executable and script extenstions, but we allow 
PDF and a few others.
3.  SpamAssassin does content based filtering and some additional DNS 
blacklist lookups that we didn't want to block at the MTA level (due to 
risk of false positives).  We significantly raised the scores assigned 
to some of the DNS blacklists so that the messages will get tagged as 
spam, but they don't immediately bounce as do the DNS blacklist checks 
we do at the MTA level.
I never saw any MyDoom messages with the attachment stripped by Advosys, 
so all of our MyDoom mail apparently got stopped by Postfix.  I'm still 
in shock that none got through.
Regardless of whether you do the Postfix filtering, Advosys should do 
what you're wanting.  Just search for it on Google and you should find 
the source code (it's just a Perl script if I remember correctly).
Good luck!

> -----Original Message-----
> From: Jason Haith [mailto:jhaith () genesissys com] 
> Sent: 3. februar 2004 22:08
> To: securityfocus
> Subject: File Catching Firewall?
>
> Was asked to look into maybe putting in a Linux box in front of our mail
> server to stop the massive amounts of email attachments we have been
> receiving as of late due to 'MyDoom'. We currently have a WG FireBoxII and
> software on our Mail Server that is supposed to be catching everything, but
> with so much coming in it's missing alot. I was wondering if anyone had any
> ideas on some type of solution for this, all input is greatly appreciated.
> Thank you.
>
> Jason Haith
> Genesis Systems
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
> course! All of our class sizes are guaranteed to be 10 students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
> any course!  
> ----------------------------------------------------------------------------
>
>
>
>
> ---------------------------------------------------------------------------
> Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
> course! All of our class sizes are guaranteed to be 10 students or less. 
> We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
> and many other technical hands on courses. 
> Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
> any course!  
> ----------------------------------------------------------------------------
>  
---------------------------------------------------------------------------
Ethical Hacking at InfoSec Institute. Mention this ad and get $720 off any 
course! All of our class sizes are guaranteed to be 10 students or less. 
We provide Ethical Hacking, Advanced Ethical Hacking, Intrusion Prevention, 
and many other technical hands on courses. 
Visit us at http://www.infosecinstitute.com/securityfocus to get $720 off 
any course!  
----------------------------------------------------------------------------