RE: Malware detection

[John Hebert <jhebert () bizdps com>]

> From: Andreas Lindkvist [mailto:lindkvist.andreas () gmail com] 
> Sent: Thursday, July 19, 2012 3:26 AM
> To: John Hebert
> Subject: Re: Malware detection
>
> Hello!
>
> I read the FW-howto and also alot of comments in this communication and it is important to mention that you are not 
> safe from SPAM-issues just by restricting the SMTP/TCP port-25 to >your mail server. It is also as important to 
> regulate the relay-ACL on that perticular server. Some mail servers have sloppy or non-existing restrictions for 
> SMTP-relay which coverts >the  restrictions in any kind of IP-filtering.

I completely agree.  While most spam-sending bots have their own SMTP engine or use MAPI calls to get the job done, 
probing for an open mail relay on the local network's not out of the question.  Additonally, one can subscribe to an 
outbound email filtering service and restrict outbound SMTP from just the mail server to just the filter's smarthost.  
That will force every message to go through the filter prior to hitting the Internet at large.  If an inbound filtering 
service is used, restricting inbound SMTP to just the filter's smarthost will prevent external relay attempts.

> Br,
>
> On Wed, Jul 18, 2012 at 8:26 PM, John Hebert <jhebert () bizdps com> wrote:
> > From: mwamba chishimba [mailto:bamwamba () gmail com]
> > Sent: Wednesday, July 18, 2012 2:11 PM
> > To: John Hebert
> > Cc: security-basics () securityfocus com
> > Subject: Re: Malware detection
> >
> > Hi John,
> >
> > Am running a linux based firewall/gateway(clearOS) which is also running as email server. Spamhaus has just blocked 
> > me because one of my PC's behind the firewall has a waledac >>spambot. I have about 70 Users on the network and 
> > picking out who the culprit is will be a daunting task as you can imagine. I've started installing malwareBytes on 
> > all the PC's. In the >meantime I want spamhaus to delist me as pursue the offender. I have installed wireshark to 
> > help me monitor traffic and on my firewall I have blocked all outgoing traffic except for >http(s). 
>
> Please advise how else I can prevent spam from leaving my network thereby avoiding being blocked by spamhaus ever 
> again.
>
> If you change your firewall to block all outgoing SMTP except from the mail server itself, any other computer won't be 
> able to send spam anymore.  Once you do that, you'll be able to >look at the firewall logs to see which IP is having 
> SMTP connections dropped.
>
> Will that prevent you from being blacklisted ever again?  Well, technically, if your mail server or one of the 
> accounts on it were to become compromised, it could be used for spam.  Short >of that, you're good to go.
>
> I wrote up a vendor-neutral how-to for Spiceworks a little while ago that might help with your outbound firewall rules:
> http://community.spiceworks.com/how_to/show/2901 - If anyone has anything to add, let me know and I'll update it.
>
> > Thank you in advance for everybody's help, greatly appreciated!
> >
> > Kind Regards,



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------