E-mail Content Filtering

Although the ins and outs of installing and configuring e-mail content filtering is outside of the scope of this book, there are a number of concepts and recommendations regarding e-mail content filtering we can discuss that will give you information you can take back to your e-mail administrators and have them look at as measures they can take to help protect the network infrastructure. Here are some of the things to consider when looking at how to protect your network from e-mail-based threats:

  • Implementing virus protection

  • Filtering attachments

  • Implementing content filtering

  • Implementing spam control

Implementing Virus Protection

E-mail is the predominant method of spreading viruses and worms today. Incidents such as the Melissa virus demonstrated that companies simply cannot afford to overlook having controls in place to prevent e-mail- borne viruses from entering their organization. There are two predominant techniques for addressing e-mail “based viruses and worms.

The first technique is to implement virus protection on the end-user systems. Typically, e-mail scanning on the end-user system is implemented as an overall component of the end-user system virus-protection software. For example, Network Associates VirusScan Enterprise has a component that will scan the client e-mail program (for example, Outlook) for viruses in addition to protecting the operating system against viruses. The benefit of this implementation is that you are getting e-mail protection without needing to actually implement anything special on the end-user system. In other words, because you need to be running virus protection on the end-user system anyway, it doesn t hurt anything to have that same product scan the e-mail users receive. There are a couple of downsides to this, however. First, it can be very difficult to update a large organization in the event of a new virus being spread by e-mail. The longer it takes to update your virus protection, the longer you will be susceptible to the threat. In addition, client-based virus scanning relies on the user receiving the e-mail before it can be potentially scanned for and cleaned. In many cases, e-mail “based viruses cannot be cleaned but rather wind up being quarantined where a user could potentially run them. Even with these downsides, you should run client-based e-mail virus protection as a component of your overall end-user virus security policy.

start sidebar
One Step Further

Many client-based e-mail antivirus products have the ability to e-mail the source of the infection to inform that person that they are infected with a virus. Unfortunately, this has become a case of the road to hell is paved with good intentions. As is more and more the case, e-mail “based worms will spoof the e-mail address that the infected e-mail came from, which in turn causes the antivirus auto-response to go to someone who didn't actually send the e-mail. The net result is that the auto-response you have been infected e-mail messages increase the impact of the virus outbreak by clogging up e-mail gateways and mailboxes with essentially worthless junk e-mail. Therefore, you should turn this feature off.

end sidebar

In addition to implementing end-user antivirus protection, you should implement antivirus protection on your e-mail gateways. This mitigates the drawbacks of a client-only solution. First, you no longer need to update thousands of client systems in the event of a new virus, which decreases the amount of time it takes to be effectively protected. You simply update your gateways to gain the immediate protection you need; then you can update the client systems at a much more leisurely rate. Second, implementing virus protection on your e-mail gateways will catch and clean or quarantine the virus before it gets to the end users. This eliminates any chance of the users inadvertently launching the virus. Some examples of gateway-based virus protection are Network Associates GroupShield, Symantec AntiVirus Enterprise Edition (which contains e-mail gateway antivirus components ), and GFI Mail Security.

In addition to you running antivirus protection on your e-mail gateway, many vendors are offering e-mail antivirus functionality integrated with the Internet gateway/firewall. For example, Netscreen and Fortinet both provide embedded antivirus protection in many of their firewall products. In addition, Check Point Firewall-1 and Microsoft ISA Server both accept the use of third-party plug-ins to provide antivirus capabilities at the firewall.

Filtering Attachments

Another effective method of preventing the spread of e-mail-based viruses and worms is to block certain attachments from being able to enter and exit your network. Simply put, some things just do not need to be e-mailed (for example, executables). At a minimum, Microsoft recommends that you block the following attachments on your e-mail gateways:


CLSID code


Advanced Streaming Format Description file


Active Streaming file


Microsoft Windows Active Stream Redirector


MS Access Project extension


MS Access Project


Visual Basic class module


Batch file


Compiled HTML Help file


Windows NT command script


MS-DOS application


Control Panel extension


Security certificate


Dynamic Link Library




Windows Help file


HTML applications


Hierarchal Tagged Objects


Setup information file


Internet communication settings


Internet communication settings


JScript file


JScript encoded script file




Microsoft Access database


Microsoft Access MDE database


MS common console document


Microsoft Windows Installer Package


Microsoft Windows Installer Patch


Visual Test source files


OLE Control Extension


Photo CD image, Visual Basic file


Shortcut to MS-DOS programs


Registration entries




Windows Script component


Shell script


Embedded shortcut


Shell scrap object


Internet shortcut


VBScript file


VBScript encoded script file


VBScript script file


Vcalendar file


Windows Media Download


Windows Messaging System


Windows Media Skins


Windows Script component


Windows script file


Windows Scripting Host settings file

In addition, you should take a hard look at whether you need the following attachments to be permitted between your internal network and the Internet. Unfortunately, the business needs for many of these may preclude your ability to filter them.


Microsoft Word documents


Microsoft Word templates


Microsoft Word for Macintosh


Microsoft Excel add-in


Microsoft Excel spreadsheets


Microsoft Excel templates


Compressed files


Implementing Content Filtering

E-mail content filtering serves a number of roles in protecting your organization. First, it can detect whether content that is being sent or received is attempting to circumvent your existing anti-virus or e-mail security policy. For example, many users will attempt to rename an attachment that they want to send when they know that type of attachment will be filtered. Content filtering software is not susceptible to this because it does not rely on the file extension or file name to determine the file type. Instead, it examines the file headers to make a determination as to what the file is.

Second, content filtering can be used to scan for phrases, words, and other objectionable content for the same reasons that you filter Internet content. In addition, content-filtering software can prevent the use of HTML formatted, rich text font or other high risk e-mail formats. Some vendors of e-mail content-filtering software are SurfControl and GFI.

Implementing Spam Control

Spam control is a relatively unique aspect of network hardening in the sense that, in most cases, spam does not have the kind of impact that viruses or objectionable content do (although many times spam contains objectionable content). Spam is more in the realm of a nuisance than a real threat. This nuisance, however, can have a tangible financial impact on an organization. When you consider that estimates put the percentage of spam e-mail messages at 40 “50 percent of all e-mail messages, the bandwidth cost of spam is substantial. Some estimates have placed the cost of spam on Korean Internet users and ISPs at $2.25 billion a year, and that is just Korea! In addition, the lost productivity of users dealing with spam is quite large. Some research has placed the cost of the time each employee wastes on e-mail at $4,000 a year. Although this does not exclusively refer to the cost of spam, the total cost in wasted productivity is roughly $130 billion, and even a conservative estimate would put the share of that cost in dealing with spam in the billions.

The single most important thing you can do to protect against spam is to ensure that your e-mail servers are not open relays. Spammers do not use their bandwidth for the sending of these e- mails . Instead, they attempt to locate open relays on the Internet and route the spam through them. You can test whether your system is an open relay at http://www.abuse.net/relay.html. For information about how to prevent your e-mail server from being an open relay, refer to your e-mail vendor s documentation.

Once you have taken steps to ensure that you are not part of the spam problem, the next step is to implement protection mechanisms to protect your systems from receiving spam. A common method of protecting from spam is through the use of DNS blacklists and open-relay database programs. These function by maintaining a list of IP addresses that spam is known to originate from (DNS blacklists ) or a database of open relays (open-relay database programs). When an e-mail is received, the destination system queries an open-relay database server to see if it is listed as an open relay. If it is, the e-mail message is rejected. If it is not, the e-mail message is accepted. There are a number of well-known systems you can use for DNS blacklist and open-relay databases, including the following:

  • MAPS RBL http://www.mail-abuse.org/rbl/

  • ORDB http://www.ordb.org/

  • Spamcop http://www.spamcop.net/

  • Monkeys .com http://www.monkeys.com/upl/index.html

  • RFC- Ignorant http://www.rfc-ignorant.org/

Additionally, many content-filtering vendors are implementing content-based spam control by employing their content-filtering algorithms and heuristics to identify potential spam messages. Vendors that have spam-filtering software include SurfControl, SpamAssassin (http://www.spamassassin.org/index.html), and Network Associates (http://www.nai.com/us/products/ mcafee /antispam/category.htm).

Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Hardening Network Infrastructure. Bulletproof Your Systems Before You Are Hacked.
Year: 2004
Pages: 125

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net