Tomorrow Friday - is your mailserver secure ?
After the incident last week with the mailservers of Vlaanderen.be (and others but that did seem to survive the onslaught or didn't make the news) one has to prepare for tomorrow. Or maybe it is just an old habitude of a virus fighter that is coming back. Check your installations on tuesday, make sure that everything is fine so that whatever comes on friday ( a day viruswriters seemed to prefer because it was the day before the weekend and ICT staff can be occupied with lots of other stuff that needs to be finished before the end of the week). Since a while it seems as if there was nothing to be worried about and people have thought for a while that automatic scanning and so on will defend us all and that we don't need human 'border controls'. Last friday has been a wake up call.
I will stop the tit for tat that is going around here and on forums because this doesn't help the principal subject (the bad situation of internetsecurity on the Belgian web) not a bit further and that is the only purpose (always have been) of this blog.
Practical now. What is essential ?
* You need to have some kind of automatic antispam, antivirus software and be sure that is updated correctly
* You need to have logs with reports about the kind of spam and viruses that are stopped to and from where
* You need to have statistics on use, volume, destinations of your emailtraffic, eventually in realtime to be able to see if something is not according to normal traffic (first research, than cry fool)
* You need to adjust the filters manually to add terms, senders and destinations to let through some (whitelist) and to block others that go through (blacklist)
* You need a procedure that you can implement if your servers become overloaded with a spamstorm so your mailserver can filter those internal good mails from the rest and send them first (can be a special word in the subject).
* You need to be sure that your mailserver is not an Open Relay. You can use tests on the internet and the one used against Vlaanderen.be but you can also test it for real with real emails from a post you have connected outside your network. You must be sure that you have the explicit permission to do such a thing.
change the xxxx into the ip address of the server
* You need to be sure that your mailserver doesn't accept any mistaken or false addresses. This is the best guarantee that tricks like the one above will be more difficult to execute. It is a decision between being userfriendly and being secure, but if you make sure that the sender gets an email that the email was refused because the account doesn't exist and that he has to check the emailaddress or use a form on the internet, than it stays userfriendly. You will have to take care although that this message isn't
- sent out more than once, even if it bounces (not to make a loop - and this is for all 'fault messages' or even accept messages.
- stops sending when the same servers starts sending hundreds of variants of emailadresses
tip you can also break the loop by making resending not automatic or default, but only do one resend for example every half an hour during 2 hours and than once every 6 hours twice. (Except for mass attacks, but than I presume you are before the screens of your server, your graphical indicators and your logs playing wargames).
Some mailservers accept all emailmessages with or without a good emailadresses. It is much wiser to just drop it. Just to refuse a lot of garbase you don't have to look at (and concentrate on the real attacks and problems). Sorry for the guy who has mistyped his address and will have to resend his email, but if you take the bad street on your way home you also have to turn back.
And most important of all
Believe only what you see and ask questions. Do not take things for granted.