ietf-asrg
[Top] [All Lists]

Re: [Asrg] Re: Asrg Digest, DNSBL BCP v.2.0

2007-03-04 20:24:08
On Sun, Mar 04, 2007 at 01:18:04PM -0600, gep2(_at_)terabites(_dot_)com wrote

Simple question... *WHY WAS THE ROUTER/GATEWAY NOT BLOCKING PORT 25 
TO/FROM ALL MACHINES EXCEPT AUTHORIZED INTERNAL MTAS* ??? If your
client had taken that one simple step, none of this would've happened.

Several issues there.

First, they have at least three or four internal machines (out of
only about 15) running mail servers. (These servers were basically
used as a speed buffer/queue for outgoing mail only).

  3 or 4 machines to handle outbound email produced by 11 or 12 client
machines doesn't sound very efficient.  A couple of BSD or linux
machines (without a GUI installed) should be able to handle the load.
One should be sufficient, the second one would be there as a spare in
case of hardware failure on the first.

Second, their applications (running on many of their client machines)
can be configured (and recently were, as a workaround) to send
directly to outside mail servers.

Third, the primary machine involved with their infection was in fact
one of the machines running not just a mail server, but a critical
app which does legitimately send E-mails as a key part of its job.

  I cannot adequately express my opinion about the second and third
points, without breaking "forum-decorum".

Fourth, their NAT router/firewall was provided, installed, and
maintained by their telephone company who had basically no knowledge
or understanding of the company's internal IT systems. (This is a very
common situation, both for home users and small businesses). Phone
companies typically install these things, and walk away from them.

Obviously, I'm going to have to be more involved with actively
administering their router, in the future.

  OK, here are a few suggestions.  Two or three linux and/or BSD
machines with MTA software, but otherwise minimal OS (no GUI), should
be the only machines allowed to talk to the outside world on port 25.
No ifs-ands-ors-buts.  Enforce this rule at the router.

  When I say "MTA", I'm including a malware scanner for *OUTBOUND*
email, so that even if one of the client machines gets hit by "swen",
which piggybacks on the legitimate MTA, executables and other malware
is still not sent out.  This addresses your concern about the fact that
sooner or later, one of the client machines *WILL* get hit by malware.

  The *nix machines will only be running an MTA, no client software.
The client machines will *NOT* be running an MTA; they'll send their
email via the 2 or 3 *nix machines.

  Get into BOFH mode and block all outside access by the client
machines, see what breaks, and allow only what is necessary for the job.

-- 
Walter Dnes <waltdnes(_at_)waltdnes(_dot_)org> In linux /sbin/init is Job #1

_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg

<Prev in Thread] Current Thread [Next in Thread>