firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Securing email by inhibiting urls (Mathew Want)
2. Re: Securing email by inhibiting urls (Kurt Buff)
3. Re: Securing email by inhibiting urls (Kurt Buff)
4. Re: Securing email by inhibiting urls (Chris)
5. Re: Securing email by inhibiting urls (Chris)
6. Re: Securing email by inhibiting urls (Chris)
7. Re: Securing email by inhibiting urls (Raphael Rivera)
----------------------------------------------------------------------
Message: 1
Date: Thu, 11 Aug 2011 15:18:52 +1000
From: Mathew Want <imortl1@gmail.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: chughes@l8c.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAKFczxbKTF-xVyLtFBOSJkRR7C6+RFGJ46WuxT5d6Cj8f88h6g@mail.gmail.com>
Content-Type: text/plain; charset=windows-1252
Perhaps it may be worth looking at it from the other angle.
If you have URL's being accessed from your environment (from emails or
other sources) these can be channeled via a proxy on the client end.
You could then control the URL categorization and/or blocking via that
method. Many proxy services get updates of known bad domains and block
these automatically (similar to AV updates). This is not directly tied
to the mail system, but should give you an option to still control the
outbound requests to attack URL's.
Just a thought.
--
Regards,
Mathew Want
On 2 August 2011 04:46, Chris <chughes@l8c.com> wrote:
> A company I work for has been having great difficulty in securing against
> email attacks.? So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.
>
>
>
> The threat that presents the biggest challenge is url links in emails.? The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> joe@s0medomain.com or j0e@somedomain.com etc).
>
>
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin.? I?d
> rather yank the offending hyperlink and replace it with a message of some
> sort.? Unfortunately BrightMail doesn?t offer that capability.
>
>
>
> Any products that do this or ideas on a solution?
>
>
>
> Thanks
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
"Some things are eternal by nature,
others by consequence"
------------------------------
Message: 2
Date: Wed, 10 Aug 2011 22:31:46 -0700
From: Kurt Buff <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: chughes@l8c.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CADy1Ce6aJWn67s3ksaPnWte1kgNt8dCV-4g=7r5YZAU-gASqgQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
mimedefang comes to mind.
On Mon, Aug 1, 2011 at 11:46, Chris <chughes@l8c.com> wrote:
> A company I work for has been having great difficulty in securing against
> email attacks.? So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.
>
>
>
> The threat that presents the biggest challenge is url links in emails.? The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> joe@s0medomain.com or j0e@somedomain.com etc).
>
>
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin.? I?d
> rather yank the offending hyperlink and replace it with a message of some
> sort.? Unfortunately BrightMail doesn?t offer that capability.
>
>
>
> Any products that do this or ideas on a solution?
>
>
>
> Thanks
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 3
Date: Thu, 11 Aug 2011 07:15:48 -0700
From: Kurt Buff <kurt.buff@gmail.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: chughes@l8c.com
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CADy1Ce4tSkuCCbnS7EjP3jwC36HP=DkV3NCM9Zz2d4i7eHB+8Q@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8
Which is why I use a mail gateway for $WORK.
On Thu, Aug 11, 2011 at 04:41, Chris <chughes@l8c.com> wrote:
> Should have mentioned that this is a MS Exchange environment. ?Spam filters are MS based currently MS based but that?s up for grabs if we can replace them with something that provides the same functionality in place now. ?Currently using Brightmail and other than disabling/replacing urls in email it is working pretty good.
>
> -----Original Message-----
> From: Kurt Buff [mailto:kurt.buff@gmail.com]
> Sent: Thursday, August 11, 2011 1:32 AM
> To: chughes@l8c.com; Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Securing email by inhibiting urls
>
> mimedefang comes to mind.
>
> http://mimedefang.org
>
> On Mon, Aug 1, 2011 at 11:46, Chris <chughes@l8c.com> wrote:
>> A company I work for has been having great difficulty in securing against
>> email attacks. ?So far we have disabled access to webmail, implemented
>> rules and processes to block freemail services like hotmail etc until the
>> sender registers the address and of course a spam filter (BrightMail).
>> Attachment filtering is pretty strict as well.
>>
>>
>>
>> The threat that presents the biggest challenge is url links in emails. ?The
>> common method of attack is an email from somedomain.com where they change
>> one character or otherwise make the address look valid (ie:
>> joe@s0medomain.com or j0e@somedomain.com etc).
>>
>>
>>
>> I was looking for a way to spot and block hyperlinks but it looks like the
>> only option I have is to filter on these and send them to a spam bin. ?I?d
>> rather yank the offending hyperlink and replace it with a message of some
>> sort. ?Unfortunately BrightMail doesn?t offer that capability.
>>
>>
>>
>> Any products that do this or ideas on a solution?
>>
>>
>>
>> Thanks
>>
>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>>
>
>
------------------------------
Message: 4
Date: Thu, 11 Aug 2011 07:37:06 -0400
From: "Chris" <chughes@l8c.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "'Mathew Want'" <imortl1@gmail.com>, "'Firewall Wizards Security
Mailing List'" <firewall-wizards@listserv.icsalabs.com>
Message-ID: <008401cc581b$002ca970$0085fc50$@com>
Content-Type: text/plain; charset="iso-8859-1"
This wont work. This site is under constant attack from China and randomly
hacked domains that are used as relays are not on any watch lists. We are
talking zero day here. There are no signatures for the payload if a user
clicks these links. Right now user awareness is our best line of defense
and we all know how reliable that is.
Until I can disable a users ability to click a url in an email that appears
to come from a trusted source, I'm fighting constant infection. We
regularly spot infections (read WE, not our security systems), that are
resident in our network and have been there days/weeks/months. We currently
have at least one that we are watching to see what it is trying to do before
shutting it down....
-----Original Message-----
From: Mathew Want [mailto:imortl1@gmail.com]
Sent: Thursday, August 11, 2011 1:19 AM
To: chughes@l8c.com; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Securing email by inhibiting urls
Perhaps it may be worth looking at it from the other angle.
If you have URL's being accessed from your environment (from emails or
other sources) these can be channeled via a proxy on the client end.
You could then control the URL categorization and/or blocking via that
method. Many proxy services get updates of known bad domains and block
these automatically (similar to AV updates). This is not directly tied
to the mail system, but should give you an option to still control the
outbound requests to attack URL's.
Just a thought.
--
Regards,
Mathew Want
On 2 August 2011 04:46, Chris <chughes@l8c.com> wrote:
> A company I work for has been having great difficulty in securing against
> email attacks.? So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.
>
>
>
> The threat that presents the biggest challenge is url links in emails.?
The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> joe@s0medomain.com or j0e@somedomain.com etc).
>
>
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin.? I?d
> rather yank the offending hyperlink and replace it with a message of some
> sort.? Unfortunately BrightMail doesn?t offer that capability.
>
>
>
> Any products that do this or ideas on a solution?
>
>
>
> Thanks
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
--
"Some things are eternal by nature,
others by consequence"
------------------------------
Message: 5
Date: Thu, 11 Aug 2011 07:41:46 -0400
From: "Chris" <chughes@l8c.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "'Kurt Buff'" <kurt.buff@gmail.com>, "'Firewall Wizards Security
Mailing List'" <firewall-wizards@listserv.icsalabs.com>
Message-ID: <008801cc581b$a6cdacc0$f4690640$@com>
Content-Type: text/plain; charset="UTF-8"
Should have mentioned that this is a MS Exchange environment. Spam filters are MS based currently MS based but that?s up for grabs if we can replace them with something that provides the same functionality in place now. Currently using Brightmail and other than disabling/replacing urls in email it is working pretty good.
-----Original Message-----
From: Kurt Buff [mailto:kurt.buff@gmail.com]
Sent: Thursday, August 11, 2011 1:32 AM
To: chughes@l8c.com; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Securing email by inhibiting urls
mimedefang comes to mind.
On Mon, Aug 1, 2011 at 11:46, Chris <chughes@l8c.com> wrote:
> A company I work for has been having great difficulty in securing against
> email attacks. So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.
>
>
>
> The threat that presents the biggest challenge is url links in emails. The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> joe@s0medomain.com or j0e@somedomain.com etc).
>
>
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin. I?d
> rather yank the offending hyperlink and replace it with a message of some
> sort. Unfortunately BrightMail doesn?t offer that capability.
>
>
>
> Any products that do this or ideas on a solution?
>
>
>
> Thanks
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
------------------------------
Message: 6
Date: Thu, 11 Aug 2011 07:45:08 -0400
From: "Chris" <chughes@l8c.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "'Kaas, David D'" <David_D_Kaas@RL.gov>, "'Firewall Wizards
Security Mailing List'" <firewall-wizards@listserv.cybertrust.com>,
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <009501cc581c$1f8f8610$5eae9230$@com>
Content-Type: text/plain; charset="UTF-8"
I'll check out Ironport. We looked at this earlier but there was something about it at the time that caused us to not buy it. Time to revisit...
Thanks
-----Original Message-----
From: Kaas, David D [mailto:David_D_Kaas@RL.gov]
Sent: Thursday, August 11, 2011 12:06 AM
To: 'chughes@l8c.com'; 'Firewall Wizards Security Mailing List'; 'firewall-wizards@listserv.cybertrust.com'
Subject: RE: [fw-wiz] Securing email by inhibiting urls
The ironport email appliane can do this. You can strip HTML or modify URLs. Outlook tries to be friendy bt atutomativally making www. Any.com clickable.
-----Original Message-----
From: Chris [mailto:chughes@l8c.com]
Sent: Wednesday, August 10, 2011 08:46 PM Pacific Standard Time
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Securing email by inhibiting urls
A company I work for has been having great difficulty in securing against email attacks. So far we have disabled access to webmail, implemented rules and processes to block freemail services like hotmail etc until the sender registers the address and of course a spam filter (BrightMail). Attachment filtering is pretty strict as well.
The threat that presents the biggest challenge is url links in emails. The common method of attack is an email from somedomain.com where they change one character or otherwise make the address look valid (ie: joe@s0medomain.com or j0e@somedomain.com etc).
I was looking for a way to spot and block hyperlinks but it looks like the only option I have is to filter on these and send them to a spam bin. I?d rather yank the offending hyperlink and replace it with a message of some sort. Unfortunately BrightMail doesn?t offer that capability.
Any products that do this or ideas on a solution?
Thanks
------------------------------
Message: 7
Date: Thu, 11 Aug 2011 09:40:18 -0400
From: Raphael Rivera <rafinous@yahoo.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "chughes@l8c.com" <chughes@l8c.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.icsalabs.com>
Message-ID: <3CF24B68-18C3-496C-AA6B-ED7281C8BA9F@yahoo.com>
Content-Type: text/plain; charset="utf-8"
Chris,
Have you all tried barracuda spam firewall?
Sent from my iPhone
On Aug 1, 2011, at 2:46 PM, "Chris" <chughes@l8c.com> wrote:
> A company I work for has been having great difficulty in securing against email attacks. So far we have disabled access to webmail, implemented rules and processes to block freemail services like hotmail etc until the sender registers the address and of course a spam filter (BrightMail). Attachment filtering is pretty strict as well.
>
>
>
> The threat that presents the biggest challenge is url links in emails. The common method of attack is an email from somedomain.com where they change one character or otherwise make the address look valid (ie: joe@s0medomain.com or j0e@somedomain.com etc).
>
>
>
> I was looking for a way to spot and block hyperlinks but it looks like the only option I have is to filter on these and send them to a spam bin. I?d rather yank the offending hyperlink and replace it with a message of some sort. Unfortunately BrightMail doesn?t offer that capability.
>
>
>
> Any products that do this or ideas on a solution?
>
>
>
> Thanks
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110811/517481e6/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 61, Issue 3
***********************************************
No comments:
Post a Comment