Stopping sobig at firewall

[mizzy]

Hi there,

I am receiving loads of mail with the sobig virus.
All infected mails are being caught by my antivirus software on the mail server.
However I'd like to stop the mail at the firewall before it gets to my mail server.
With other viruses/spam I have been able be do this.
Just look at the header of the mail find where it is coming from and block the associated IP address.
Sobig is a bit more clever, it disguises where it comes from.
Have any of you guys or girls managed to stop these mails at the firewall.

Regards,

p.s. I should say that from what I can see the mails are coming from the same location. I'm using lotus domino server.

 

[dopehead]

I don't really get how you think you can stop a virus in an email by blocking mail servers, the mails are not disguised, they just come from all sorts of different mail servers.
Btw, how did you stop the other viruses ? they must have come from different sources also ?

Another thing, blocking mailservers that send you virus email might not be 2 smart, as you will miss possibly interesting mails that are meant for you or your co-workers.

Jan

 

[dx1]

If possible, setup a mail relay server on a dmz interface of the firewall. Have all your mail deliver to the relay server where it will be scanned and cleaned and then forward to your internal mail server.

For the relay server, you can run something like Symantec Antivirus for SMTP or a dedicated appliance.

 

[dopehead]

Isn't mails getting caught already by your mail server's antivirus ? Then i don't really see the point in bringing in another server that does this job. If the virus is not detected, why should another mail server help you ?

Jan

 

[mizzy]

Hi there,

Apologies I did not explain this better and it will take someone much cleverer than me to explain it correctly.

All I can say is that I was able to contact the two companies that were sending me hundreds of infected mails. (I was able to do this based on informaion about SMTP servers in the header of the infected mails)
The IT department at these two companies then updated their antivirus software and the volume of infected e-mail has returned to a more acceptable level.

Thanks very much for taking the time to help out,
Regards,

 

[dopehead]

Just for the record, this is how you would block specific servers from sending mail to your mailserver :

You prolly have something like :

access-list xxx permit tcp any host <mailserver public> eq 25
all you need to do is change the acl to have some deny statements like the above for the hosts you don't wan't to allow :

access-list xxx deny tcp host <attacker ip> host <mailserver public> eq 25

access-list xxx permit tcp any host <mailserver public> eq 25

Jan

 

[dx1]

>Isn't mails getting caught already by your mail server's antivirus ? Then i don't really see the point in bringing in another server that does this job. If the virus is not detected, why should another mail server help you ?

Maybe I misread his question but he did ask how to stop it before it got to his mail server. With the DMZ setup, you eliminate from having to expose your internal mail server directly to the internet by opening ports on the firewall, off-load the virus scanning process to the dedicated server in the DMZ, and have two levels of virus protection.

 

[dopehead]

Sure, thats true, i just thought he already had a DMZ, didn't think anyone had mailservers on the inside anymore open from inet

Jan