firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Securing email by inhibiting urls (Mark E. Donaldson)
2. Re: Securing email by inhibiting urls (Marcus Ranum)
3. Re: Securing email by inhibiting urls (Victor Williams)
4. Re: Securing email by inhibiting urls (Timothy Shea)
----------------------------------------------------------------------
Message: 1
Date: Fri, 12 Aug 2011 00:51:07 +0000
From: "Mark E. Donaldson" <markee@bandwidthco.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: "chughes@l8c.com" <chughes@l8c.com>, Firewall Wizards Security
Mailing List <firewall-wizards@listserv.cybertrust.com>
Message-ID:
<BAE58695426B20468F7638C723B37D78074B60AB@server7.bandwidthco.com>
Content-Type: text/plain; charset="us-ascii"
You need to re-think how you handle mail. Two things:
1. Take out all Chinese IP addresses at the firewall. Nothing of value comes out of China. 99% of it is toxic. Why let them even have a chance?
2. Direct webmail over the internet is dangerous at best. You need to set up an SMTP mail proxy on your system that receives, processes, and either accepts or rejects all incoming email. Use Sendmail + MailScanner + SpamAssassin + Clamav. Won't cost you a cent and will take all bad stuff out as you instruct it to do.
3. Mail that makes it through the proxy should then be directed to the webmail server. It will be safe and clean.
From: firewall-wizards-bounces@listserv.cybertrust.com [mailto:firewall-wizards-bounces@listserv.cybertrust.com] On Behalf Of Chris
Sent: Monday, August 01, 2011 11:47 AM
To: firewall-wizards@listserv.cybertrust.com
Subject: [fw-wiz] Securing email by inhibiting urls
A company I work for has been having great difficulty in securing against email attacks. So far we have disabled access to webmail, implemented rules and processes to block freemail services like hotmail etc until the sender registers the address and of course a spam filter (BrightMail). Attachment filtering is pretty strict as well.
The threat that presents the biggest challenge is url links in emails. The common method of attack is an email from somedomain.com where they change one character or otherwise make the address look valid (ie: joe@s0medomain.com<mailto:joe@s0medomain.com> or j0e@somedomain.com<mailto:j0e@somedomain.com> etc).
I was looking for a way to spot and block hyperlinks but it looks like the only option I have is to filter on these and send them to a spam bin. I'd rather yank the offending hyperlink and replace it with a message of some sort. Unfortunately BrightMail doesn't offer that capability.
Any products that do this or ideas on a solution?
Thanks
--
This message has been scanned for viruses and dangerous
content by MailScanner<http://www.mailscanner.info/>, and is believed to be clean.
MailScanner at Bandwidthco Computer Security<http://www.bandwidthco.com/> is for your absolute protection.
########################################################
This message has been scanned for viruses and dangerous
content by MailScanner, and is believed to be clean.
postmaster@bandwidthco.com
MailScanner at Bandwidthco Computer Security is for your absolute protection.
########################################################
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110812/6cea6e07/attachment-0001.html>
------------------------------
Message: 2
Date: Thu, 11 Aug 2011 18:11:04 -0400
From: Marcus Ranum <mjr@ranum.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4E445378.8000108@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Chris wrote:
>
> Until I can disable a users ability to click a url in an email that appears
> to come from a trusted source, I'm fighting constant infection. We
> regularly spot infections (read WE, not our security systems), that are
> resident in our network and have been there days/weeks/months. We currently
> have at least one that we are watching to see what it is trying to do before
> shutting it down....
>
>
Stupid users, too much connectivity, good security - you can have
any two.
I'm guessing that when you say "trusted source" what you mean
is "apparently trustworthy source" - not that you actually have a
list somewhere of trusted sources. If you had a list of trusted
sources then you could put in a firewall that did URL filtering
then have 2 group policies: "users who click on bad URLs"
and "users who are careful what they click on" Only allow
"users who click on bad URLs" to go to the trusted destinations
and deny everything else.
But it sounds like you've got an impossible problem: you're
being asked to solve end-user trust with technology and still
maintain a fairly open network. That's not going to happen,
though surely you can thrash painfully about playing network
whac-a-mole.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenable.com
------------------------------
Message: 3
Date: Thu, 11 Aug 2011 13:12:43 -0500
From: Victor Williams <vbwilliams@gmail.com>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CABaopGOsRTKW_PL3swnHfxyL1B9bwhuLECK=ZtemMrdd3oAyXQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Cisco Ironport or McAfee's two offerings: Email & Web Security Appliance or
Email Gateway.
The McAfee products used to be Secure Computing's Ironmail appliances, but
were bought with the Secure Computing acquisition.
Additionally, you should implement a true URL and content filtering service.
Even if an email gets through here or there, clicking on the link in it
will do more or less nothing if you have a "good" content-filtering proxy.
At my last job, we implemented McAfee's Email Gateway which filtered out a
very high percentage of junk incoming--you have to turn it on and take a lot
of time configuring/tweaking it. We also used Trend Micro's InterScan Web
Security product for web content filtering. The Trend-Micro product is
based on Squid and some other open and non-open source products. We didn't
want to take the time rolling our own Squid-based solution, and instead paid
for that one. Ran both for a year+ without any known infections.
I do know that we had all of the popular safeguards turned on on the McAfee
appliance(s). SPF checking, blacklist checking with 4 different blacklists,
reverse DNS lookup on the sending IP address, etc. We also only allowed
delivery to addresses that could be verified valid by looking them up in
Active Directory. If some server was attempting to send to a bunch of
addresses that didn't even exist in our environment, that server was
automatically banned from sending emails to us for X amount of time. This
cut down on a LOT of junk.
Disabling all the tools that people need to do their jobs won't help the
situation. You need to get a good all-around solution and customize it to
your environment--put a LOT of time into configuring and testing it. It
took me personally about 40 hours to get the McAfee appliances working
exactly how I wanted them to.
On Thu, Aug 11, 2011 at 8:40 AM, Raphael Rivera <rafinous@yahoo.com> wrote:
> Chris,
>
> Have you all tried barracuda spam firewall?
>
> Sent from my iPhone
>
> On Aug 1, 2011, at 2:46 PM, "Chris" <chughes@l8c.com> wrote:
>
> A company I work for has been having great difficulty in securing against
> email attacks. So far we have disabled access to webmail, implemented
> rules and processes to block freemail services like hotmail etc until the
> sender registers the address and of course a spam filter (BrightMail).
> Attachment filtering is pretty strict as well.****
>
> ** **
>
> The threat that presents the biggest challenge is url links in emails. The
> common method of attack is an email from somedomain.com where they change
> one character or otherwise make the address look valid (ie:
> <joe@s0medomain.com>joe@s0medomain.com or <j0e@somedomain.com>
> j0e@somedomain.com etc).****
>
> ** **
>
> I was looking for a way to spot and block hyperlinks but it looks like the
> only option I have is to filter on these and send them to a spam bin. I?d
> rather yank the offending hyperlink and replace it with a message of some
> sort. Unfortunately BrightMail doesn?t offer that capability.****
>
> ** **
>
> Any products that do this or ideas on a solution?****
>
> ** **
>
> Thanks****
>
> _______________________________________________
>
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110811/9fdce924/attachment-0001.html>
------------------------------
Message: 4
Date: Thu, 11 Aug 2011 17:20:27 -0500
From: Timothy Shea <tim@tshea.net>
Subject: Re: [fw-wiz] Securing email by inhibiting urls
To: chughes@l8c.com, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<CAHxuY52g+GzJUHLNP2XXT5n5Qk9+kY0aT=VGhPaZUt11gGkttA@mail.gmail.com>
Content-Type: text/plain; charset="windows-1252"
You are focusing on the wrong problem. If desktops are being infected then
your desktop, anti-spam, and web browsing controls are all weak.
Eliminating "links" in e-mail is going to accomplish nothing.
A commercial web content filter for web browsing will go a long way to
resolving your issues. Most commercial content filters are continuously
updated throughout the day and much can be filtered out via categories. We
went from several desktop issues a day to one desktop issue a week after
implementing a commercial web proxy. We then updated the browser and
implemented a new anti-virus solution. The desktop environment has now gone
completely stable. We've hadn't had a serious issue in months freeing up
our time to do other things.
You should also evaluate your desktop hardening and patching processes.
t.s
On Thu, Aug 11, 2011 at 6:37 AM, Chris <chughes@l8c.com> wrote:
> This wont work. This site is under constant attack from China and randomly
> hacked domains that are used as relays are not on any watch lists. We are
> talking zero day here. There are no signatures for the payload if a user
> clicks these links. Right now user awareness is our best line of defense
> and we all know how reliable that is.
>
> Until I can disable a users ability to click a url in an email that appears
> to come from a trusted source, I'm fighting constant infection. We
> regularly spot infections (read WE, not our security systems), that are
> resident in our network and have been there days/weeks/months. We
> currently
> have at least one that we are watching to see what it is trying to do
> before
> shutting it down....
>
> -----Original Message-----
> From: Mathew Want [mailto:imortl1@gmail.com]
> Sent: Thursday, August 11, 2011 1:19 AM
> To: chughes@l8c.com; Firewall Wizards Security Mailing List
> Subject: Re: [fw-wiz] Securing email by inhibiting urls
>
> Perhaps it may be worth looking at it from the other angle.
>
> If you have URL's being accessed from your environment (from emails or
> other sources) these can be channeled via a proxy on the client end.
> You could then control the URL categorization and/or blocking via that
> method. Many proxy services get updates of known bad domains and block
> these automatically (similar to AV updates). This is not directly tied
> to the mail system, but should give you an option to still control the
> outbound requests to attack URL's.
>
> Just a thought.
> --
> Regards,
> Mathew Want
>
> On 2 August 2011 04:46, Chris <chughes@l8c.com> wrote:
> > A company I work for has been having great difficulty in securing against
> > email attacks. So far we have disabled access to webmail, implemented
> > rules and processes to block freemail services like hotmail etc until the
> > sender registers the address and of course a spam filter (BrightMail).
> > Attachment filtering is pretty strict as well.
> >
> >
> >
> > The threat that presents the biggest challenge is url links in emails.
> The
> > common method of attack is an email from somedomain.com where they
> change
> > one character or otherwise make the address look valid (ie:
> > joe@s0medomain.com or j0e@somedomain.com etc).
> >
> >
> >
> > I was looking for a way to spot and block hyperlinks but it looks like
> the
> > only option I have is to filter on these and send them to a spam bin.
> I?d
> > rather yank the offending hyperlink and replace it with a message of some
> > sort. Unfortunately BrightMail doesn?t offer that capability.
> >
> >
> >
> > Any products that do this or ideas on a solution?
> >
> >
> >
> > Thanks
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@listserv.icsalabs.com
> > https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> >
> >
>
>
>
> --
> "Some things are eternal by nature,
> others by consequence"
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
--
Tim Shea, CISSP
612-384-6810
tim@tshea.net
http://www.linkedin.com/in/timothyshea
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20110811/a89f4fdb/attachment.html>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 61, Issue 4
***********************************************
No comments:
Post a Comment