Guides Email Filtering: The Real Deal

Email Filtering: The Real Deal

By Kurt Seifried ([email protected]) for SecurityPortal


Email is probably my favorite Internet related service. It’s also the one that
causes me the most problems, with regard to security. People cannot live without
email anymore. Email is probably the most convenient form of communication for
most of us. It’s an easy way to figure out whether the person you want to phone
in Australia is awake or not. Email also allows us to easily send files, from
simple text documents to spreadsheets — images to video clips. There are extremely
few companies and organizations in the world that have an Internet connection
but do not use email. Because of this, most Internet spam is now delivered by
email, and more importantly, most viruses are now spread via email.

Why Email is Such a Pain

Email is such a pain because almost everyone online uses it, and the vast majority
use Outlook or Outlook Express on a Microsoft platform, which has numerous security
problems. Because of the lack of file permissions in Windows 9x, and the default
permissions in NT and 2000, once an attacker gets code to execute on a target
system, it can do pretty much anything. Add to this that most of the common
mail packages (Outlook, Outlook Express, Netscape, Eudora, Pine, to name a few)
have a substantial number of security holes (especially in older versions, which
are all to common) that easily allow an attacker to send code that is run by
the email client. The way users use email is also a problem. Very few people
(almost none) sign email using PGP/GnuPG or X.509 certificates, and most users
assume that if an email claims to have come from a friend, or from a recognizable
email address, that it is legitimate and can be safely opened.

The speed at which email is delivered is also a problem. Where it used to take
viruses weeks or even months to circulate around the world via floppy disk,
with email, a virus can now traverse the globe in mere hours (especially if
it hits a large site). Even with modern antivirus software, the insanely fast
spread of a virus guarantees that numerous sites will not be able to detect
or eradicate it. Most modern email clients automatically put anyone you reply
to in your address book, making a juicy target list for any virus that runs
on your system (these people have received email from you before).

Why Antivirus Technology Doesn’t Always Work

I’ve discussed this before but it bears repeating. Antivirus software has a
lot of problems, not all of which can be corrected easily. First off, the software
has to be up to date, or have some heuristic capability (which of course isn’t
100% reliable) to catch a current virus. The software has to be installed somewhere
where it will see the data in question. Ideally this would include several locations:

  • Inbound (and outbound if possible) SMTP proxy with virus
    scanning
  • SMTP server itself
  • POP and IMAP proxy with virus scanning
  • Workstation client that accesses the mail

By forcing all inbound and outbound email through a proxy server that can scan
for viruses you can block viruses before they even get to your server, and hopefully
catch any outgoing viruses that somehow have managed to slip out. This also
reduces the number of points where a virus can enter your network, which means
you only need to update a few points of access if a new virus comes out. Filtering
on the mail server itself is critical. If a virus makes it through you need
to be able to remove it from your server to prevent re-infection of clients.
Scanning POP and IMAP access to your mailserver isn’t completely necessary,
but by using a different product than the one on your SMTP server or clients
you increase the chances of catching any viruses that make it through. Finally,
in almost all environments, you should install antivirus software on the end
workstation as there are numerous other paths (floppy disk, www, etc.) that
a virus can take to get into your network. In any event you should use two different
products if possible (one on your SMTP server, and one on your client workstations)
which greatly increases the chances of catching a virus and stopping it.

Blocking Attachments

One of the most surefire ways to stop most email born viruses is to restrict
the types of attachments you allow in. Blocking .VBS as a bare minimum will
stop many of the more recent ones that have successfully infected hundreds of
thousands of machines. There is almost no valid reason to attach a .VBS file
to an email and send it to someone (if you absolutely must send someone a .VBS
file, compress it first using WinZip or
something similar). Blocking other types of attachments will also significantly
reduce the risk to your network. Unfortunately, because of the many flaws in
Windows and its common programs (such as Office) almost every file attachment
is dangerous:

  • .TXT can actually be a Rich Text File (.RTF), and is executable under certain
    circumstances. These files can be dangerous. See http://securityportal.com/topnews/ms00-005.html

  • .HTML can easily be used to embed JavaScript, which, if run can cause a
    number of browser vulnerabilities

  • .DOC, .XLS, and other office file formats can all contain macros. Even
    if auto-run macros are disabled, the user will still be prompted for permission
    to run them. If run, the macro can do almost anything.

  • Various multimedia formats can contain malicious content that can crash
    a user’s machine or even execute malicious code.

Unix is not immune either. Pine, a very popular command line mailer for Unix
contains at least one known flaw that can allow an attacker to send malformed
email that can execute code on the users machines. Pine is disabled by default
in the OpenBSD ports collections.

There are numerous commercial and non-commercial solutions available to filter
email attachments, from Mime Sweeper to Mime Defang and even home grown solutions
using Postfix’s ability to filter email headers and bodies using regex. Unfortunately,
almost all extensions are dangerous (I block over 200 file extensions).


Related Links

Network Intrusion Detection Systems and Virus Scanners: Are They The Answer?
http://www.securityportal.com/closet/closet20000105.html


About the Author

Kurt Seifried ([email protected])
is a security analyst and the author of more security articles then you can
shake a stick at. Please do not send him mean email as it makes his email server
sad. He’s also a glutton for punishment and sushi.


SecurityPortal is the world’s foremost on-line resource and services
provider for companies and individuals concerned about protecting their
information systems and networks.
http://www.SecurityPortal.com
The Focal Point for Security on the Net ™

Latest Posts

Related Stories