Re: [fw-wiz] Securing email by inhibiting urls

You are focusing on the wrong problem. If desktops are being infected then
your desktop, anti-spam, and web browsing controls are all weak.
Eliminating "links" in e-mail is going to accomplish nothing.

A commercial web content filter for web browsing will go a long way to
resolving your issues. Most commercial content filters are continuously
updated throughout the day and much can be filtered out via categories. We
went from several desktop issues a day to one desktop issue a week after
implementing a commercial web proxy. We then updated the browser and
implemented a new anti-virus solution. The desktop environment has now gone
completely stable. We've hadn't had a serious issue in months freeing up
our time to do other things.

You should also evaluate your desktop hardening and patching processes.


On Thu, Aug 11, 2011 at 6:37 AM, Chris <chughes@xxxxxxx> wrote:

This wont work. This site is under constant attack from China and randomly
hacked domains that are used as relays are not on any watch lists. We are
talking zero day here. There are no signatures for the payload if a user
clicks these links. Right now user awareness is our best line of defense
and we all know how reliable that is.

Until I can disable a users ability to click a url in an email that appears
to come from a trusted source, I'm fighting constant infection. We
regularly spot infections (read WE, not our security systems), that are
resident in our network and have been there days/weeks/months. We
have at least one that we are watching to see what it is trying to do
shutting it down....

-----Original Message-----
From: Mathew Want [mailto:imortl1@xxxxxxxxx]
Sent: Thursday, August 11, 2011 1:19 AM
To: chughes@xxxxxxx; Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] Securing email by inhibiting urls

Perhaps it may be worth looking at it from the other angle.

If you have URL's being accessed from your environment (from emails or
other sources) these can be channeled via a proxy on the client end.
You could then control the URL categorization and/or blocking via that
method. Many proxy services get updates of known bad domains and block
these automatically (similar to AV updates). This is not directly tied
to the mail system, but should give you an option to still control the
outbound requests to attack URL's.

Just a thought.
Mathew Want

On 2 August 2011 04:46, Chris <chughes@xxxxxxx> wrote:
A company I work for has been having great difficulty in securing against
email attacks. So far we have disabled access to webmail, implemented
rules and processes to block freemail services like hotmail etc until the
sender registers the address and of course a spam filter (BrightMail).
Attachment filtering is pretty strict as well.

The threat that presents the biggest challenge is url links in emails.
common method of attack is an email from where they
one character or otherwise make the address look valid (ie:
joe@xxxxxxxxxxxxxx or j0e@xxxxxxxxxxxxxx etc).

I was looking for a way to spot and block hyperlinks but it looks like
only option I have is to filter on these and send them to a spam bin.
rather yank the offending hyperlink and replace it with a message of some
sort. Unfortunately BrightMail doesn’t offer that capability.

Any products that do this or ideas on a solution?


firewall-wizards mailing list

"Some things are eternal by nature,
others by consequence"

firewall-wizards mailing list

Tim Shea, CISSP
firewall-wizards mailing list