[PLUG] stopping outgoing virus mail
Russell Evans
russell-evans at uswest.net
Mon Mar 17 16:08:02 UTC 2003
Why not block all host machines from using any destination port 25 except the
configured SMTP host for the network? Logging the denied connection and having
a log analyzer pick up the alert could easily fit your alarm requirement. I
think this might be a better solution than port forwarding and relying on the
SMTP server to identify an infected host. I would think that host / IP
information of the infected box could be lost in forwarding.
Thank you
Russell
On 17 Mar 2003 13:55:02 -0800, AthlonRob said:
> On Mon, 2003-03-17 at 13:45, Carla Schroder wrote:
> > spyware phoning home, and other nasties. So I'm hunting for something similar
> > for outgoing email sent by viruses. But I'm stuck on what to filter on.
>
> Are you talking about the nasties that talk smtp themselves rather than
> relying on your lookOut Express installation?
>
> If you're running AMaViS, could you just run a filter directing all
> outgoing port 25 connections back to your own mail server? That's what
> AOL does (although without the AMaViS part).
>
> $IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT \
> --to-port 4080
>
> is what I use for my transparent http proxy... but I don't know if you
> can direct --dport 25 back to --to-port 25 or if that would give you a
> loop.
More information about the PLUG
mailing list