On Fri, 7 Jul 2017, Alex wrote:
On Fri, Jul 7, 2017 at 3:45 PM, John Hardin <jhar...@impsec.org> wrote:
On Fri, 7 Jul 2017, Alex wrote:
It's just a short body with a URI which downloads malware. We got hit
by this pretty hard. This is where the real threats are. Receive one
of these to an Exchange distribution list and your reputation with the
customer suffers badly.
Defense in depth. For that sort of thing you also need dynamic blocking of
the malware hosts (as much as is possible) in either your site web proxy (if
you have one) or your firewall rules.
Yes, absolutely. We have scripts that can be used to populate a local
RBLs that extract the from, IPs, etc, and provide the ability to drop
them into a postfix client_access blocklist. It's easy to stop them
after the fact.
I'm not referring to email, I'm referring to the web clients that will try
to visit a malware hosting URL. Block malware downloads as much as
possible on the *outbound* (retrieval) side as well as on the inbound
(bait) side.
There are third-party sources for such information (e.g.
malwaredomains.com) that provide IP and domain name lists that you could
use to automate such filters proactively, rather than relying solely on
identified messages in your mail stream.
The problem (in this case) was that they were received over the course
of a few days during the 4th holiday, then we got burnt when everyone
came back to the office.
Automated download blocking via malwaredomains and other such sources
might have mitigated that - the emails would still go through, but anybody
who fell for it and clicked on the download link might have been blocked
(malwaredomains et. al. are, after all, reactive and imperfect, but they
are helpful).
Generally, though, there could be ten malicious emails received, a
handful will actually click, while others report them, which is enough
to tarnish reputation.
Right.
When there's a small handful of malicious emails that make it through,
among hundreds of thousands received per day, it's just not possible
to go through them. A more automated or assisted method is necessary,
or better protection to begin with...
--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
Our government should bear in mind the fact that the American
Revolution was touched off by the then-current government
attempting to confiscate firearms from the people.
-----------------------------------------------------------------------
Today: Robert Heinlein's 110th birthday
