Email Filtering: The Real Deal
Email is probably my favorite Internet related service. It's also the one that causes me the most problems, with regard to security. People cannot live without email anymore. Email is probably the most convenient form of communication for most of us. It's an easy way to figure out whether the person you want to phone in Australia is awake or not. Email also allows us to easily send files, from simple text documents to spreadsheets -- images to video clips. There are extremely few companies and organizations in the world that have an Internet connection but do not use email. Because of this, most Internet spam is now delivered by email, and more importantly, most viruses are now spread via email.
Why Email is Such a Pain
Email is such a pain because almost everyone online uses it, and the vast majority use Outlook or Outlook Express on a Microsoft platform, which has numerous security problems. Because of the lack of file permissions in Windows 9x, and the default permissions in NT and 2000, once an attacker gets code to execute on a target system, it can do pretty much anything. Add to this that most of the common mail packages (Outlook, Outlook Express, Netscape, Eudora, Pine, to name a few) have a substantial number of security holes (especially in older versions, which are all to common) that easily allow an attacker to send code that is run by the email client. The way users use email is also a problem. Very few people (almost none) sign email using PGP/GnuPG or X.509 certificates, and most users assume that if an email claims to have come from a friend, or from a recognizable email address, that it is legitimate and can be safely opened.
The speed at which email is delivered is also a problem. Where it used to take viruses weeks or even months to circulate around the world via floppy disk, with email, a virus can now traverse the globe in mere hours (especially if it hits a large site). Even with modern antivirus software, the insanely fast spread of a virus guarantees that numerous sites will not be able to detect or eradicate it. Most modern email clients automatically put anyone you reply to in your address book, making a juicy target list for any virus that runs on your system (these people have received email from you before).
Why Antivirus Technology Doesn't Always Work
I've discussed this before but it bears repeating. Antivirus software has a lot of problems, not all of which can be corrected easily. First off, the software has to be up to date, or have some heuristic capability (which of course isn't 100% reliable) to catch a current virus. The software has to be installed somewhere where it will see the data in question. Ideally this would include several locations:
- Inbound (and outbound if possible) SMTP proxy with virus scanning
- SMTP server itself
- POP and IMAP proxy with virus scanning
- Workstation client that accesses the mail
By forcing all inbound and outbound email through a proxy server that can scan for viruses you can block viruses before they even get to your server, and hopefully catch any outgoing viruses that somehow have managed to slip out. This also reduces the number of points where a virus can enter your network, which means you only need to update a few points of access if a new virus comes out. Filtering on the mail server itself is critical. If a virus makes it through you need to be able to remove it from your server to prevent re-infection of clients. Scanning POP and IMAP access to your mailserver isn't completely necessary, but by using a different product than the one on your SMTP server or clients you increase the chances of catching any viruses that make it through. Finally, in almost all environments, you should install antivirus software on the end workstation as there are numerous other paths (floppy disk, www, etc.) that a virus can take to get into your network. In any event you should use two different products if possible (one on your SMTP server, and one on your client workstations) which greatly increases the chances of catching a virus and stopping it.
One of the most surefire ways to stop most email born viruses is to restrict the types of attachments you allow in. Blocking .VBS as a bare minimum will stop many of the more recent ones that have successfully infected hundreds of thousands of machines. There is almost no valid reason to attach a .VBS file to an email and send it to someone (if you absolutely must send someone a .VBS file, compress it first using WinZip or something similar). Blocking other types of attachments will also significantly reduce the risk to your network. Unfortunately, because of the many flaws in Windows and its common programs (such as Office) almost every file attachment is dangerous:
.TXT can actually be a Rich Text File (.RTF), and is executable under certain circumstances. These files can be dangerous. See http://securityportal.com/topnews/ms00-005.html
.DOC, .XLS, and other office file formats can all contain macros. Even if auto-run macros are disabled, the user will still be prompted for permission to run them. If run, the macro can do almost anything.
- Various multimedia formats can contain malicious content that can crash a user's machine or even execute malicious code.
Unix is not immune either. Pine, a very popular command line mailer for Unix contains at least one known flaw that can allow an attacker to send malformed email that can execute code on the users machines. Pine is disabled by default in the OpenBSD ports collections.
There are numerous commercial and non-commercial solutions available to filter email attachments, from Mime Sweeper to Mime Defang and even home grown solutions using Postfix's ability to filter email headers and bodies using regex. Unfortunately, almost all extensions are dangerous (I block over 200 file extensions).
Network Intrusion Detection Systems and Virus Scanners: Are They The Answer?
About the Author
Kurt Seifried (firstname.lastname@example.org) is a security analyst and the author of more security articles then you can shake a stick at. Please do not send him mean email as it makes his email server sad. He's also a glutton for punishment and sushi.
SecurityPortal is the world's foremost on-line resource and services
provider for companies and individuals concerned about protecting their
information systems and networks.
The Focal Point for Security on the Net (tm)