Re: [fw-wiz] Securing email by inhibiting urls



Thanks for the response.



1. We block china but that doesnt stop mail being sourced from a
hacked American company

2. We don't allow any webmail access from our site. For business
reasons we are not allowed to block mail from anything but "freemail" sites
like gmail, hotmail etc.

3. We have Brightmail, Juniper IDS, ISS IDS and Symantec Antivirus
protecting all mail servers.



We don't have issues with executables etc in mail as attachments. We mostly
see encrypted .zip or Ms Excel/Word attachments in emails made to look like
they are coming from someone friendly. The well trained employee with a
short memory or bad recall clicks the attachment or url linked to a file and
game is over. These are zero day payloads that are not detected by anyone.
We have spent lots of money getting them reverse engineered and the security
firms are impressed. We can block all attachments but that doesn't stop a
user clicking a link to a hacked ford.com page that delivers payload (making
this up but its not far from true). With business constraints etc, our best
option now is to strip/modify urls/links in emails but our current systems
don't have that feature.



From: Mark E. Donaldson [mailto:markee@xxxxxxxxxxxxxxx]
Sent: Thursday, August 11, 2011 8:51 PM
To: chughes@xxxxxxx; Firewall Wizards Security Mailing List
Subject: RE: [fw-wiz] Securing email by inhibiting urls



You need to re-think how you handle mail. Two things:



1. Take out all Chinese IP addresses at the firewall. Nothing of value
comes out of China. 99% of it is toxic. Why let them even have a chance?



2. Direct webmail over the internet is dangerous at best. You need to
set up an SMTP mail proxy on your system that receives, processes, and
either accepts or rejects all incoming email. Use Sendmail + MailScanner +
SpamAssassin + Clamav. Won't cost you a cent and will take all bad stuff out
as you instruct it to do.



3. Mail that makes it through the proxy should then be directed to the
webmail server. It will be safe and clean.



From: firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx
[mailto:firewall-wizards-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Chris
Sent: Monday, August 01, 2011 11:47 AM
To: firewall-wizards@xxxxxxxxxxxxxxxxxxxxxxx
Subject: [fw-wiz] Securing email by inhibiting urls



A company I work for has been having great difficulty in securing against
email attacks. So far we have disabled access to webmail, implemented
rules and processes to block freemail services like hotmail etc until the
sender registers the address and of course a spam filter (BrightMail).
Attachment filtering is pretty strict as well.



The threat that presents the biggest challenge is url links in emails. The
common method of attack is an email from somedomain.com where they change
one character or otherwise make the address look valid (ie:
joe@xxxxxxxxxxxxxx or j0e@xxxxxxxxxxxxxx etc).



I was looking for a way to spot and block hyperlinks but it looks like the
only option I have is to filter on these and send them to a spam bin. I'd
rather yank the offending hyperlink and replace it with a message of some
sort. Unfortunately BrightMail doesn't offer that capability.



Any products that do this or ideas on a solution?



Thanks


--
This message has been scanned for viruses and dangerous
content by <http://www.mailscanner.info/> MailScanner, and is believed to
be clean.
MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security
is for your absolute protection.


--
This message has been scanned for viruses and dangerous
content by <http://www.mailscanner.info/> MailScanner, and is believed to
be clean.
MailScanner at <http://www.bandwidthco.com/> Bandwidthco Computer Security
is for your absolute protection.

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


Relevant Pages

  • Re: .eml attachments
    ... If I view these emails via my isp's webmail, ... fine and are not attachments. ... I have tried everything - turning off all ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: Reasons for blocking webmail access in the workplace...
    ... > block webmail in the workplace, because it ... > business emails via Outlook, but use yahoo to send 50 personal emails, ... unwanted files that the desktop virus scanners would not ... > new definitions, however, if we're relying on a desktop virus scanner ...
    (Security-Basics)
  • Re: Mindboggling Mystery
    ... Mr. Cochran: ... OE, did not arrive, and were resent from Comcast webmail). ... emails from daughter's OE do not ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: MR2/Ice problem
    ... If MR2ICE is now OK, ... Move the emails you stashed back into the webmail ... If it's a config file problem, I could restore one from a backup - I don't ...
    (comp.os.os2.apps)
  • Re: winmail.dat
    ... If you view that message sent from Outlook with another Outlook ... One question I am left w/ is this: Why are my webmail attachments on ... no such conversion occurs w/ my gmail account. ...
    (microsoft.public.windows.vista.mail)