I guess the only way he could stop the worms was ..to...scan the subject line? WTF!

correct me if I'm wrong ...but there's got to be a better way see below:




Quote from big bad admin:


"A change was made recently to control incoming e-mail from the Internet. A filter was installed (eSafe) that scans for certain keywords in the subject line (as well as virus infections).

If a keyword appears you will get an 'Alert from eSafe' message telling you that a message was blocked, who the message was from, and the Scan Result."

Any better ideas?

*antihaxor ducks and dodges the insults hurled

Yeah, there's other ways to make sure worms don't get through, involving such methods as listed below:

1: have a list of known virii/trojans/macro virii/etc on the server that's incorporated into the 'scanner'. Several third-party programs do this.

2: scanning subject lines for "known" headers that precede email viruses such as ILoveYou (and others).

3: scan executable and/or .vbs attachments looking for "known" named files that are virii carriers.

4: block all .scr and .exes at the servers. ****emiftheycan'ttakeajoke, all those bastards that have to send screen savers and whatnot with embedded "surprises". Wait, the end users on the other side who have to merrily open every fscking piece of mail because it says "ANNA KOURNIKOVA DOES DALLAS PART 20" or some other lame crap. They deserve to be shot but that's another story...well, at least be drug into the network server room that's soundproofed and whipped with cat5.

5: move your exchange server into the parking lot and have a shot at it with bats and cars while setting up your new and improved PC-on-crack running qmail or sendmail and having cron run through all mail files stripping everything even remotely bad (this can be read by procmail). Sendmail, qmail, and others are far more efficient than exchange *ever* will be.

These are a few that you can do although I'm by no means an NT advocate and don't give two shits about exchange. You'd think there's something better than subject-line scanning.

It could be worst where I work I can not send out files with the following extensions:
*.exe
*.src
*.com
(the filter even removes questable content from zip files)

A better solution for both of us is to scan all incoming mail attachments for known viruses (this was done at my old job). It is of course easier to block all mail with certain keywords or files with certain attachment types. Unfortunately, many network admins take the easy way out.

It is of course easier to block all mail with certain keywords or files with certain attachment types. Unfortunately, many network admins take the easy way out.

Unfortunately, it has little to do with the network admins and a whole hell of a lot more with management. Nobody wants to 'disrupt' the user community and if it means letting them download whatever they want because they're "Sales and Marketing" or execs or whatnot and it keeps them happy, so be it. We're the ones who get shafted because of the shit that happens after that...*sigh*

The life of an administrator...dealing with users is always a pain in the ass. Hence, why they're called lusers (from Simon Travolga's BOFH series, I love that guy, he's my idol).

Originally posted by Vorlin

The life of an administrator...dealing with users is always a pain in the ass. Hence, why they're called lusers (from Simon Travolga's BOFH series, I love that guy, he's my idol).


Bastard Operator From Hell was a funny series, I remember first reading that years ago - I still read back through those texts every now and then and still thinks it's pretty cool. The BOFH was the coolest administrator there ever was! I've got to get me one of those excuse calanders!

We strip certain attachments that have extensions that are on our block list - it's not the most efficient way to operate simply because a file a user needs may come in as an .exe, but if the firewall is stripping all .exe's from email, then the user won't get it. It does help alot of the time though.

I work for a software company so we're pretty solid when it comes to virus'. We run MDaemon with MDaemon Scanner. The scanner basicly updates itself every day and scans everything going in AND out. We've had it since Nimda came out and havn't had any problems since.

Anti, I don't think the (only) reason they started scanning email-headers is to block virusses. It sais that they installed something 'to control incoming email' - right? My guess is that someone in upper management descided that to many people in your company were spending to much time writing emails.

hmmmm well the basic and most effective way to prevent worms is by not opening attatchments which has an .exe .src .com .bat or any sort of extensions...

worms are also considerend logic bombs.. they will destroy if certain conditions are met.. in this case by clicking the attatchment..

juz tell ur admin to educate the users on file extensions.. it wont take that long.. juz roughly 10 mins.. or even less.

the filters are not that effective coz it always filters out something thats totally harmless and very useful information..

its basically like being rasits.. (no hidden msgs intended..)
like say.. ermm during the WW2... according to nazi.. as long as dey're jewish kill them..
same as the filters... as long as it has that certain data.. block it...

who knows.. that msg might be very improtant and juz coz it had that certain data u cant get the msg coz the filter blocks it..


get my point? its better to educate the users.. than use silly filters.. i mean the education the users will get could aslo be taken to their normal house hold computers.. and might cut down the spread of worms.. which is basically how worms become successful.. coz some ppl have no idea about file extensions..

Originally posted by Guus
Anti, I don't think the (only) reason they started scanning email-headers is to block virusses. It sais that they installed something 'to control incoming email' - right? My guess is that someone in upper management descided that to many people in your company were spending to much time writing emails.



I agree with Guus. This sounds more like "Big Brother" than a security issue....

Well, it might be Big Brother to a degree but you can *immediately* bypass the subject line scanning by putting something "official" in it. You can't scan body content because that won't work for a number of reasons. Now, you can limit where mail's sent to. Such as, limit the list of allowed addresses and drop all the other requests, just like ports are blocked at the firewall level and unless you're in an ACL or your program has a hole punched through the wall, you're not getting through.

my experience was,

1. education, make it known to users

2. stripping the attachment with known file extension, e.g. exe, com, scr ... even if in zip

3. notify user of the block immediately

if the attachment is genuine, the users will have to contact the sender themself and request the sender to double or tripple zip (this depends on how many level of zip that u r filtering) the file b4 sending it again.

rgds
de

There is some good software that will watch incoming mail for any virill activity.Isn't there some thing from norton that does all that i,m pretty sure there is.






ANTI-HACKERS

The easiest way is to use AV for mail servers. Norton has it, Kasperski has it. That software scans incoming mail on your mail server and notify recepients if it finds anything. That way you can stop worms that use HTML message body, not just attachments.
My ISP is using Kasperski and I didn't heard for any worm spreading in Banjaluka for some time.

We use norton for exchange and we havent been hit by a serious virus attack in a fairly long time. As for bypassing the restrictions in place it is fairly easy. You just change the extension and put it in a zip or two. The zip is only used if your protection checks out the header of the files rather than the extension. The differance is that for the virus, worm etc to execute it needs the action of a internal user. That is someone has to rename the file. As they say the biggest security loophole in any network is an uneducated user.

Appreciate your support guys but this thread is 2 years old :D