Although the ins and outs of installing and configuring e-mail content filtering is outside of the scope of this book, there are a number of concepts and recommendations regarding e-mail content filtering we can discuss that will give you information you can take back to your e-mail administrators and have them look at as measures they can take to help protect the network infrastructure. Here are some of the things to consider when looking at how to protect your network from e-mail-based threats:
Implementing virus protection
Filtering attachments
Implementing content filtering
Implementing spam control
E-mail is the predominant method of spreading viruses and worms today. Incidents such as the Melissa virus demonstrated that companies simply cannot afford to overlook having controls in place to prevent e-mail- borne viruses from entering their organization. There are two predominant techniques for addressing e-mail “based viruses and worms.
The first technique is to implement virus protection on the end-user systems. Typically, e-mail scanning on the end-user system is implemented as an overall component of the end-user system virus-protection software. For example, Network Associates VirusScan Enterprise has a component that will scan the client e-mail program (for example, Outlook) for viruses in addition to protecting the operating system against viruses. The benefit of this implementation is that you are getting e-mail protection without needing to actually implement anything special on the end-user system. In other words, because you need to be running virus protection on the end-user system anyway, it doesn t hurt anything to have that same product scan the e-mail users receive. There are a couple of downsides to this, however. First, it can be very difficult to update a large organization in the event of a new virus being spread by e-mail. The longer it takes to update your virus protection, the longer you will be susceptible to the threat. In addition, client-based virus scanning relies on the user receiving the e-mail before it can be potentially scanned for and cleaned. In many cases, e-mail “based viruses cannot be cleaned but rather wind up being quarantined where a user could potentially run them. Even with these downsides, you should run client-based e-mail virus protection as a component of your overall end-user virus security policy.
Many client-based e-mail antivirus products have the ability to e-mail the source of the infection to inform that person that they are infected with a virus. Unfortunately, this has become a case of the road to hell is paved with good intentions. As is more and more the case, e-mail “based worms will spoof the e-mail address that the infected e-mail came from, which in turn causes the antivirus auto-response to go to someone who didn't actually send the e-mail. The net result is that the auto-response you have been infected e-mail messages increase the impact of the virus outbreak by clogging up e-mail gateways and mailboxes with essentially worthless junk e-mail. Therefore, you should turn this feature off.
In addition to implementing end-user antivirus protection, you should implement antivirus protection on your e-mail gateways. This mitigates the drawbacks of a client-only solution. First, you no longer need to update thousands of client systems in the event of a new virus, which decreases the amount of time it takes to be effectively protected. You simply update your gateways to gain the immediate protection you need; then you can update the client systems at a much more leisurely rate. Second, implementing virus protection on your e-mail gateways will catch and clean or quarantine the virus before it gets to the end users. This eliminates any chance of the users inadvertently launching the virus. Some examples of gateway-based virus protection are Network Associates GroupShield, Symantec AntiVirus Enterprise Edition (which contains e-mail gateway antivirus components ), and GFI Mail Security.
In addition to you running antivirus protection on your e-mail gateway, many vendors are offering e-mail antivirus functionality integrated with the Internet gateway/firewall. For example, Netscreen and Fortinet both provide embedded antivirus protection in many of their firewall products. In addition, Check Point Firewall-1 and Microsoft ISA Server both accept the use of third-party plug-ins to provide antivirus capabilities at the firewall.
Another effective method of preventing the spread of e-mail-based viruses and worms is to block certain attachments from being able to enter and exit your network. Simply put, some things just do not need to be e-mailed (for example, executables). At a minimum, Microsoft recommends that you block the following attachments on your e-mail gateways:
*.{*. | CLSID code | Asd | Advanced Streaming Format Description file |
asf | Active Streaming file | Asx | Microsoft Windows Active Stream Redirector |
ade | MS Access Project extension | Adp | MS Access Project |
bas | Visual Basic class module | Bat | Batch file |
chm | Compiled HTML Help file | Cmd | Windows NT command script |
com | MS-DOS application | Cpl | Control Panel extension |
crt | Security certificate | Dll | Dynamic Link Library |
exe | Application | Hlp | Windows Help file |
hta | HTML applications | Hto | Hierarchal Tagged Objects |
inf | Setup information file | Ins | Internet communication settings |
isp | Internet communication settings | Js | JScript file |
jse | JScript encoded script file | Lnk | Shortcuts |
mdb | Microsoft Access database | mde | Microsoft Access MDE database |
msc | MS common console document | msi | Microsoft Windows Installer Package |
msp | Microsoft Windows Installer Patch | mst | Visual Test source files |
ocx | OLE Control Extension | pcd | Photo CD image, Visual Basic file |
pif | Shortcut to MS-DOS programs | reg | Registration entries |
scr | Screensaver | sct | Windows Script component |
sh | Shell script | shb | Embedded shortcut |
shs | Shell scrap object | url | Internet shortcut |
vb | VBScript file | vbe | VBScript encoded script file |
vbs | VBScript script file | vcs | Vcalendar file |
wmd | Windows Media Download | wms | Windows Messaging System |
wmz | Windows Media Skins | wsc | Windows Script component |
wsf | Windows script file | wsh | Windows Scripting Host settings file |
In addition, you should take a hard look at whether you need the following attachments to be permitted between your internal network and the Internet. Unfortunately, the business needs for many of these may preclude your ability to filter them.
Doc | Microsoft Word documents | dot | Microsoft Word templates |
Mcw | Microsoft Word for Macintosh | xla | Microsoft Excel add-in |
Xls | Microsoft Excel spreadsheets | xlt | Microsoft Excel templates |
Zip | Compressed files |
E-mail content filtering serves a number of roles in protecting your organization. First, it can detect whether content that is being sent or received is attempting to circumvent your existing anti-virus or e-mail security policy. For example, many users will attempt to rename an attachment that they want to send when they know that type of attachment will be filtered. Content filtering software is not susceptible to this because it does not rely on the file extension or file name to determine the file type. Instead, it examines the file headers to make a determination as to what the file is.
Second, content filtering can be used to scan for phrases, words, and other objectionable content for the same reasons that you filter Internet content. In addition, content-filtering software can prevent the use of HTML formatted, rich text font or other high risk e-mail formats. Some vendors of e-mail content-filtering software are SurfControl and GFI.
Spam control is a relatively unique aspect of network hardening in the sense that, in most cases, spam does not have the kind of impact that viruses or objectionable content do (although many times spam contains objectionable content). Spam is more in the realm of a nuisance than a real threat. This nuisance, however, can have a tangible financial impact on an organization. When you consider that estimates put the percentage of spam e-mail messages at 40 “50 percent of all e-mail messages, the bandwidth cost of spam is substantial. Some estimates have placed the cost of spam on Korean Internet users and ISPs at $2.25 billion a year, and that is just Korea! In addition, the lost productivity of users dealing with spam is quite large. Some research has placed the cost of the time each employee wastes on e-mail at $4,000 a year. Although this does not exclusively refer to the cost of spam, the total cost in wasted productivity is roughly $130 billion, and even a conservative estimate would put the share of that cost in dealing with spam in the billions.
The single most important thing you can do to protect against spam is to ensure that your e-mail servers are not open relays. Spammers do not use their bandwidth for the sending of these e- mails . Instead, they attempt to locate open relays on the Internet and route the spam through them. You can test whether your system is an open relay at http://www.abuse.net/relay.html. For information about how to prevent your e-mail server from being an open relay, refer to your e-mail vendor s documentation.
Once you have taken steps to ensure that you are not part of the spam problem, the next step is to implement protection mechanisms to protect your systems from receiving spam. A common method of protecting from spam is through the use of DNS blacklists and open-relay database programs. These function by maintaining a list of IP addresses that spam is known to originate from (DNS blacklists ) or a database of open relays (open-relay database programs). When an e-mail is received, the destination system queries an open-relay database server to see if it is listed as an open relay. If it is, the e-mail message is rejected. If it is not, the e-mail message is accepted. There are a number of well-known systems you can use for DNS blacklist and open-relay databases, including the following:
MAPS RBL http://www.mail-abuse.org/rbl/
ORDB http://www.ordb.org/
Spamcop http://www.spamcop.net/
Monkeys .com http://www.monkeys.com/upl/index.html
RFC- Ignorant http://www.rfc-ignorant.org/
Additionally, many content-filtering vendors are implementing content-based spam control by employing their content-filtering algorithms and heuristics to identify potential spam messages. Vendors that have spam-filtering software include SurfControl, SpamAssassin (http://www.spamassassin.org/index.html), and Network Associates (http://www.nai.com/us/products/ mcafee /antispam/category.htm).