Chuck Swiger wrote:
Tom Metro wrote:
Is there really much practical value to outbound scanning?

Yes. I've seen employees download viral mail from some other service (AOL, fastmail.fm, gmail, whatever) to their corporate desktop, get infected, and have their machine start spewing malicious email out.

I have no doubt that machines inside corporate networks get infected. All you have to do is listen to the news after one of the big virus outbreaks to hear plenty of evidence if that. (Though such news has become rare. Probably more due to shifting goals of mailware authors than due to improved virus detection.)


Even if a zombie was inside a corporate network, how likely is it
to use the SMTP relay that happens to be configured in some mail
client on the compromised machine?

Using the configured SMTP relay seems to be the most common case;

I'm surprised to hear that. I wouldn't put it past the malware writers, especially after reading the article that was recently posted here that detailed how sophisticated some of the malware has become.

At best, though, I wouldn't think malware could be reliant on finding an SMTP relay, as such settings are MUA-specific. Sure, they could just be designed to read Outlook and Thunderbird settings and work in the majority of the cases, but to be reliable they'd need to fall back on direct SMTP connections.

And actually I'd expect malware writers to avoid using SMTP relays, as their intended target to infect is home users, whose SMTP relay is going to be an ISP, who likely has outbound message limits. So if anything, they'd use direct SMTP connections as the first choice, and maybe the SMTP relay as a backup, if at all.

Of course what is prevalent today is probably very different from what was prevalent 4 or 5 years ago. Before there was a malware "industry," the typical malware was an ego booster or prank that was distributed by hijacking Outlook. It wasn't a business whose success was measured by being able to send the most emails while not getting noticed.

I'd be curious to know if you can point to a data source that supports your statement above. (I'm not implying that it isn't true.)


...and using a firewall to block outbound port 25 except from your
legitimate mail relay, you can do a lot to keep your domain from
contributing to the problem.

If egress filtering is cheaper and faster to implement, and stops the majority of malware out there today, I'm wondering if the mail community would be better off encouraging it as a first step, maybe rate limiting on the relay as a second step, and consider outbound scanning as an improvement to possibly be implemented later.

In the short term the real problem is probably a lack of low cost routers that even permit outbound blocking, or are sophisticated enough to block all but a certain IP address for outbound. I'm not aware of any "broadband" router appliances that can do this, but for most home users, where the relay is outside the firewall, it wouldn't help.

I don't think you can entirely dismiss outbound scanning, as malware evolves to get around the blocks that are put before it. Though again, if their target is home network users, and they continue to be easy pickings, they may not think it worth their time to adjust their software to work inside corporate networks. Although with some ISPs blocking port 25, the home environment is starting to look more like the corporate environment.


Isn't the vast majority of viruses and spam sent via zombies on unfirewalled (outbound) home networks?

otherwise, here are sorted lists of the data where we'd gotten at
least ten spammy messages from that source:

http://www.codefab.com/AV/spammers_by_hostname.txt

Almost all the domains in your file seem to follow the patterns common to dynamic IP blocks at ISPs. That suggests that the vast majority of malware is coming from home users.


...adding SPF records...

SPF may not be very helpful in the scenario we're discussing, where you might have a LAN full of end-users and a mail relay both connected via a NAT router with a single public IP.


For any small shop that keeps a close eye on their machines and network
traffic, I'd think the overhead of scanning every outbound message would
be a waste.

It's not very expensive in terms of CPU resources to scan normal messages, usually.

Dennis Peterson made a valid point that reducing the quantity of malware introduced into the Internet permits him to reduce the quantity of messages he needs to scan. (Though I still haven't been convinced that outbound scanning would actually have much impact on that quantity.)

Obviously there is a recognition that reducing the quantity of scanned mail saves resources. So it follows that not scanning outbound mail, if it is considered to be of very low risk, would also be worth avoiding.

But it isn't just a matter of computing resources. There is also labor involved, possibly significant, if outbound relaying is handled on a separate machine, and to virus scan would require maintaining another virus scanning installation. And don't forget the labor required to track down bugs and misconfigurations that cause virus software to incorrectly reject users' mail.

My point with respect to organization size is that in a large company some machine spewing a few 100,000 emails over the corporate mail relay cluster might not be noticed, but the small shop with a single CPU mail relay and a DSL link is probably going to notice either direct SMTP or relayed traffic fairly quickly. But maybe not...it all depends on how carefully the admin keeps tabs on things and how well the malware has been designed to not be noticed.

 -Tom

--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html

Reply via email to