Chuck Swiger wrote:
Tom Metro wrote:
Is there really much practical value to outbound scanning?
Yes. I've seen employees download viral mail from some other service
(AOL, fastmail.fm, gmail, whatever) to their corporate desktop, get
infected, and have their machine start spewing malicious email out.
I have no doubt that machines inside corporate networks get infected.
All you have to do is listen to the news after one of the big virus
outbreaks to hear plenty of evidence if that. (Though such news has
become rare. Probably more due to shifting goals of mailware authors
than due to improved virus detection.)
Even if a zombie was inside a corporate network, how likely is it
to use the SMTP relay that happens to be configured in some mail
client on the compromised machine?
Using the configured SMTP relay seems to be the most common case;
I'm surprised to hear that. I wouldn't put it past the malware writers,
especially after reading the article that was recently posted here that
detailed how sophisticated some of the malware has become.
At best, though, I wouldn't think malware could be reliant on finding an
SMTP relay, as such settings are MUA-specific. Sure, they could just be
designed to read Outlook and Thunderbird settings and work in the
majority of the cases, but to be reliable they'd need to fall back on
direct SMTP connections.
And actually I'd expect malware writers to avoid using SMTP relays, as
their intended target to infect is home users, whose SMTP relay is going
to be an ISP, who likely has outbound message limits. So if anything,
they'd use direct SMTP connections as the first choice, and maybe the
SMTP relay as a backup, if at all.
Of course what is prevalent today is probably very different from what
was prevalent 4 or 5 years ago. Before there was a malware "industry,"
the typical malware was an ego booster or prank that was distributed by
hijacking Outlook. It wasn't a business whose success was measured by
being able to send the most emails while not getting noticed.
I'd be curious to know if you can point to a data source that supports
your statement above. (I'm not implying that it isn't true.)
...and using a firewall to block outbound port 25 except from your
legitimate mail relay, you can do a lot to keep your domain from
contributing to the problem.
If egress filtering is cheaper and faster to implement, and stops the
majority of malware out there today, I'm wondering if the mail community
would be better off encouraging it as a first step, maybe rate limiting
on the relay as a second step, and consider outbound scanning as an
improvement to possibly be implemented later.
In the short term the real problem is probably a lack of low cost
routers that even permit outbound blocking, or are sophisticated enough
to block all but a certain IP address for outbound. I'm not aware of any
"broadband" router appliances that can do this, but for most home users,
where the relay is outside the firewall, it wouldn't help.
I don't think you can entirely dismiss outbound scanning, as malware
evolves to get around the blocks that are put before it. Though again,
if their target is home network users, and they continue to be easy
pickings, they may not think it worth their time to adjust their
software to work inside corporate networks. Although with some ISPs
blocking port 25, the home environment is starting to look more like the
corporate environment.
Isn't the vast majority of viruses and spam sent via zombies on
unfirewalled (outbound) home networks?
otherwise, here are sorted lists of the data where we'd gotten at
least ten spammy messages from that source:
http://www.codefab.com/AV/spammers_by_hostname.txt
Almost all the domains in your file seem to follow the patterns common
to dynamic IP blocks at ISPs. That suggests that the vast majority of
malware is coming from home users.
...adding SPF records...
SPF may not be very helpful in the scenario we're discussing, where you
might have a LAN full of end-users and a mail relay both connected via a
NAT router with a single public IP.
For any small shop that keeps a close eye on their machines and network
traffic, I'd think the overhead of scanning every outbound message would
be a waste.
It's not very expensive in terms of CPU resources to scan normal
messages, usually.
Dennis Peterson made a valid point that reducing the quantity of malware
introduced into the Internet permits him to reduce the quantity of
messages he needs to scan. (Though I still haven't been convinced that
outbound scanning would actually have much impact on that quantity.)
Obviously there is a recognition that reducing the quantity of scanned
mail saves resources. So it follows that not scanning outbound mail, if
it is considered to be of very low risk, would also be worth avoiding.
But it isn't just a matter of computing resources. There is also labor
involved, possibly significant, if outbound relaying is handled on a
separate machine, and to virus scan would require maintaining another
virus scanning installation. And don't forget the labor required to
track down bugs and misconfigurations that cause virus software to
incorrectly reject users' mail.
My point with respect to organization size is that in a large company
some machine spewing a few 100,000 emails over the corporate mail relay
cluster might not be noticed, but the small shop with a single CPU mail
relay and a DSL link is probably going to notice either direct SMTP or
relayed traffic fairly quickly. But maybe not...it all depends on how
carefully the admin keeps tabs on things and how well the malware has
been designed to not be noticed.
-Tom
--
Tom Metro
Venture Logic, Newton, MA, USA
"Enterprise solutions through open source."
Professional Profile: http://tmetro.venturelogic.com/
_______________________________________________
http://lurker.clamav.net/list/clamav-users.html