Email virus protection

Hello,

What is the most common method for providing virus protection for your
hosted email customers? Thank you in advance.

Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com

From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf

Of

Christopher J. Wolff
Sent: Wednesday, August 20, 2003 1:51 PM
To: nanog@merit.edu
Subject: Email virus protection

Hello,

What is the most common method for providing virus protection for your
hosted email customers? Thank you in advance.

We filter the normal "bad attachment stuff" right off the bat:

ad[ep]|ba[st]|chm|cmd|com|cpl|crt|eml|exe|hlp|hta|in[fs]|isp|jse?|lnk|md
[be]|ms[cipt]|pcd|pif|reg|scr|sct|shs|url|vb[se]|ws[fhc]

and as we see fit, we add system wide filters for specific viruses,
trojans, etc. Customers are notified when additional filters are
added/removed.

Todd

Christopher J. Wolff wrote:

Hello,

What is the most common method for providing virus protection for your
hosted email customers? Thank you in advance.

The best method for protection of your network (by limiting exposure of your users to viruses) is to strip executable files. We replace the files with a small text file mentioning the filename and a brief description of why we stripped it and who to contact if they need the file.

I recommend executable stripping before virus scanning in all cases. Virus scanning is still vulnerable to startup viruses (Sobig-F could have infected numberous users before the dat files update).

-Jack

Yo Jack!

The best method for protection of your network (by limiting exposure of
your users to viruses) is to strip executable files. We replace the
files with a small text file mentioning the filename and a brief
description of why we stripped it and who to contact if they need the file.

I love guys like you. All my customers once had (still have) admins
that filtered and cleaned their email for them. Also added
firewalls for their protection. Now they are my customers because they
do not want your protections.

What you are doing is certainly proper in some cases. I would hope
BofA learned that lesson after the last worm attack that killed their
ATM network. That also means a lot of bank employees need to also have
an ISP account from me to do things they can not do with their email on
the job.

RGDS
GARY

Gary E. Miller wrote:

I love guys like you. All my customers once had (still have) admins
that filtered and cleaned their email for them. Also added
firewalls for their protection. Now they are my customers because they
do not want your protections.

I never understood ISPs that can apply a filter but not make an exception. All my filters, network and service level, have exclusions. The filters are designed to protect the network from the users. Less than 0.1% of my users do not want such protections, and those users are cleared of them.

In the last 3 days, I have received over 50 thankyou emails from customers concerning Sobig-F stripping. One user said that they wanted off filtering because they updated their anti-virus definitions once a week and that they were expecting an email from someone, but I'd stripped the attachment. It turns out that the user hadn't updated since Sobig-F released 2 days ago and since the from address was something he was looking for, he would have run the executable I'd stripped. I informed him that the file was viral, and he informed me that he'd like to keep the filtering. This is normal of most requests.

I will agree with you that there are many networks that deploy filtering and do not work with the customer concerning the filtering. To do so is poor business practice in my opinion. The problem isn't the filtering. It is the lack of contact with the customer.

-Jack

Hey - they aren't supposed to be using their work e-mail for stuff
other than work - especially in a banking environment.

I would be unhappy if my bank did not exclude executables from
outside e-mail.

Again, ITS YOUR EMPLOYERS NETWORK, NOT YOURS.

John Palmer wrote:

Hey - they aren't supposed to be using their work e-mail for stuff
other than work - especially in a banking environment.

I would be unhappy if my bank did not exclude executables from outside e-mail.

That's what the net admin was telling me when I mentioned one of his branch bank offices had Sobig-F. Apparently they all run A/V and I think he said his mail server does as well. Unfortunately, they still allow executables in.

I won't be using that bank.

-Jack

Christopher J. Wolff(chris@bblabs.com)@2003.08.20 10:50:55 +0000:

What is the most common method for providing virus protection for your
hosted email customers? Thank you in advance.

Making them switch to a software product that does not auto-execute
arbitrary chunks of code that come in via some network connection.

Ok, you got me, it is not the most common method "out there", but the
most common method for my customers

There's quite a lot of usable stuff out there. Many Win32 users have
switched to Mozilla which seems to solve 100% of the Outlook-specific
attacks which account for... hmmm... 100% of the malicious email
messages of the last 6 months.

Some switched to Mac. Many UNIX users are on mutt or similar MUAs which
do not bear the potential for execution of arbitrary code. Sure, this
does not apply for Exchange-driven installations that require Outlook,
but there are also alternatives available. Deployment cost causes a
certain lack of motivation to get rid of Exchange, but if you calculate
a potential impact of Microsoft worms and viruses (virii?) in terms of
damage to the company's data and infrastructure and also credibility,
it's worth it, quite often.

A bit more on the philosophical side of things, the international press
and media - and many people reading or watching those media - mix up the
terms "internet threat", "Microsoft-specific threat" and
"Outlook-specific threat" which leads to a totally twisted perspective
of the current events.

Fact is, that there's a broad base of installed and Microsoft-driven PCs
which are vulnerable. Customers often realize this after you explain it
to them step-by-step and they seem very happy with their new knowledge
about what actually caused the vulnerability of their company and
information infrastructure. Some of them - call them brave - take
immediate action and implement fallback or alternative solutions.

Regards,
/k

Jack Bates(jbates@brightok.net)@2003.08.20 15:49:01 +0000:

That's what the net admin was telling me when I mentioned one of his
branch bank offices had Sobig-F. Apparently they all run A/V and I think
he said his mail server does as well. Unfortunately, they still allow
executables in.

The problem is the false sense of security while using anti-virus
products. For having a working signature, somebody has to be hit first
and submit the virus to the AV vendor. This requires a certain time,
which leads - in case of the latest womr occurences which appear to be
pretty aggressive - to a certain amount of infections that happen before
there are signatures available. And then, the update still has to be
downloaded to the AV scanning software which extends the time window
being unprotected against a certain worm or virus variant.

So, the virus and worm authors are always one step ahead. This is by
design of the AV concept.

Better put the wasted cash and time into the design of better systems,
which brings the software developers this critical one step in the lead.

Due to what obscure reason does a mail user agent have to execute
interpreted code and do unasked things to mail attachments, nowadays?

Regards,
/k

Some switched to Mac. Many UNIX users are on mutt or similar MUAs which
  do not bear the potential for execution of arbitrary code.

http://www.cert.org/advisories/CA-1997-14.html
http://www.cert.org/advisories/CA-1998-10.html

Wow, the second one even mentions Mutt by name.

--mghali@snark.net------------------------------------------<darwin><
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include <disclaim.h>

just me(matt@snark.net)@2003.08.20 14:17:17 +0000:

1997 CERT Advisories
1998 CERT Advisories

Wow, the second one even mentions Mutt by name.

The more recent of those two advisories is dated August 11, 1998.
What are you trying to express, by citation of those pretty outdated
CERT advisories? If you are trying to imply that software does not
improve in a time frame of five years, go ahead and convince me. =)

On a different angle, the apparent problem of a software product being
vulnerable to an exploit is not solved by deploying a - albeit
well-patched - application monoculture worldwide. Risk is lowered by
using more well-designed software packages out there. Diversity is the
name of the game, it's nature's solution and it seems to work quite
well.

Regards,
/k

just me(matt@snark.net)@2003.08.20 14:17:17 +0000:
  >
  > http://www.cert.org/advisories/CA-1997-14.html
  > http://www.cert.org/advisories/CA-1998-10.html
  >
  > Wow, the second one even mentions Mutt by name.

  The more recent of those two advisories is dated August 11, 1998.
  What are you trying to express, by citation of those pretty outdated
  CERT advisories? If you are trying to imply that software does not
  improve in a time frame of five years, go ahead and convince me. =)

It's happened before, it'll happen again. Please don't pretend that
your MUA-de-jour is somehow invulnerable by design, unless you've
audited every line of code yourself.

  On a different angle, the apparent problem of a software product being
  vulnerable to an exploit is not solved by deploying a - albeit
  well-patched - application monoculture worldwide. Risk is lowered by
  using more well-designed software packages out there. Diversity is the
  name of the game, it's nature's solution and it seems to work quite
  well.

I completely agree. Which is why I discourage people from using
Outlook Express as well as Mutt.

matto

--mghali@snark.net------------------------------------------<darwin><
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include <disclaim.h>

just me(matt@snark.net)@2003.08.20 14:41:02 +0000:

Please don't pretend that your MUA-de-jour is somehow invulnerable by
design, unless you've audited every line of code yourself.

I don't.

Mutt and similar MUAs are prone to misconfiguration, which makes them
vulnerable to some degree, but this fact alone does not expose enough
surface for implementation of an internet-wide worm attack

Perhaps, Outlook is a secure and performant email solution - in, say, 3
to 4 years from now, but this means a drastic change of course for the
vendor.

In end-user application design, finding the right mix between security
and and convenience (which tend to be mutually exclusive, in one way or
the other) is a critical design decision.

You get the point.

  On a different angle, the apparent problem of a software product being
  vulnerable to an exploit is not solved by deploying a - albeit
  well-patched - application monoculture worldwide. Risk is lowered by
  using more well-designed software packages out there. Diversity is the
  name of the game, it's nature's solution and it seems to work quite
  well.

I completely agree. Which is why I discourage people from using
Outlook Express as well as Mutt.

So the interesting question in context of this email thread is: what do
you encourage them for?

Regards,
/k

Mutt and similar MUAs are prone to misconfiguration, which makes them
  vulnerable to some degree, but this fact alone does not expose enough
  surface for implementation of an internet-wide worm attack

So you are saying that all MUA's are prone to vulnerabilities through
misconfiguration, and the reason for Outlook's prominence is simply
its larger installed base? If so, I completely agree with you.

  In end-user application design, finding the right mix between security
  and and convenience (which tend to be mutually exclusive, in one way or
  the other) is a critical design decision.

  You get the point.

Indeed. I certainly wish Outlook was shipped with more sane settings.

  > I completely agree. Which is why I discourage people from using
  > Outlook Express as well as Mutt.

  So the interesting question in context of this email thread is: what do
  you encourage them for?

My brother has used MH for the last 20 years or so, without ill
effect. However, I believe it was also vulnerable in '97 because of
its inclusion of metamail functionality.

I've been impressed with Ximian's Evolution, but have no false hopes
for its intgrity in the face of malicious content.

There certainly is no universal best mail client. If I encourage
anything, its to use the client folks are most comfortable with.

  Regards,
  /k

matto

--mghali@snark.net------------------------------------------<darwin><
   Flowers on the razor wire/I know you're here/We are few/And far
   between/I was thinking about her skin/Love is a many splintered
   thing/Don't be afraid now/Just walk on in. #include <disclaim.h>

Unfortunately, that's not true. My father has to use Windoze because several software programs for his industry (Real Estate, specifically managing rentals) only come in Windoze flavors. He stays away from M$ client software whenever possible and was using Mozilla for email (until yesterday, I'm getting him started on Eudora). His email software doesn't automatically open attachments for him.

He knows better than to manually open random attachments that don't look like something business like, but a few weeks ago one caught him during the vulnerable period (after the virus started making the rounds, before he had updated the virus definitions) and managed to pretend to be a type of file he *does* expect in his day to day business (an "application" attachment). Oops.

Now he finally *really* understands why I'm adamant about frequently updating the virus definitions (I presently have his antivirus software set to check for updates every 4 hours) and having a strong firewall, and not loading unnecessary applications on his work computer.

jc

To answer the original question asked...

What is the most common method for providing virus protection for your
hosted email customers? Thank you in advance.

We use a layered approach, with Postini being the front line ...they do an *excellent* job, and we - and our clients - love them.
<http://www.postini.com>
We forced all the (mail) domains we host to use Postini about a year ago when our mail servers came under some serious directory harvest attacks. We allow clients to opt-out of the spam filtering if they want, but still run the mail through Postini's system anyway to stop directory harvest and virus attacks. Postini can be set to filter, but not quarantine, which looks to our opt-out clients like no filtering but still saves our mailservers from most assaults.

Second layer is some nice configuration options on our customer-facing mail servers, which run CommunigatePro from Stalker.
<http://www.stalker.com>
CGP is as full featured as Exchange, but without the BS. Plus it has the added benefit of actually working as advertised, and can be run on virtually *any* platform. The suits like the buzzword-compliance and the fact that it is commercially supported (excellent support too I'll add.) The geeks like it because it *works*... and on any platform they choose.

The last layer is of course the hardest to control, as it is out of our hands and in the client's, but we strongly suggest that they use a mail client that doesn't auto-execute code.

Myself, I use Eudora on my PowerBook running OS X. I know that doesn't make me somehow immune to everything... just the vast majority. My nanog list mail account got joejobbed by the "Netscalibur" user, both as sender and receiver (supposedly from Valdis Kletnieks, and somebody at NetSol.) and I've never seen what an Outlook mail client looks like. =)

I have to agree with Mr. Donelan who said here:
"(Microsoft) Outlook, the exploding Pinto on the information superhighway."

Regards,

>There's quite a lot of usable stuff out there. Many Win32 users have
>switched to Mozilla which seems to solve 100% of the Outlook-specific
>attacks which account for... hmmm... 100% of the malicious email
>messages of the last 6 months.

Unfortunately, that's not true. My father has to use Windoze because
several software programs for his industry (Real Estate, specifically
managing rentals) only come in Windoze flavors. He stays away from M$
client software whenever possible and was using Mozilla for email (until
yesterday, I'm getting him started on Eudora). His email software doesn't
automatically open attachments for him.

For some (but not all folks), you can run such software on a Windows
virtual machine (I use Win4Lin) under a Unix or Linux OS. That might
be an attractive and not very expensive solution for the above.

Warning, this is an off-topic rant about client software and the state of the world WRT Windows and Linux. There is zero operational content in this post.

>
> >There's quite a lot of usable stuff out there. Many Win32 users have
> >switched to Mozilla which seems to solve 100% of the Outlook-specific
> >attacks which account for... hmmm... 100% of the malicious email
> >messages of the last 6 months.
>
> Unfortunately, that's not true. My father has to use Windoze because
> several software programs for his industry (Real Estate, specifically
> managing rentals) only come in Windoze flavors. He stays away from M$
> client software whenever possible and was using Mozilla for email (until
> yesterday, I'm getting him started on Eudora). His email software doesn't
> automatically open attachments for him.

For some (but not all folks), you can run such software on a Windows
virtual machine (I use Win4Lin) under a Unix or Linux OS. That might
be an attractive and not very expensive solution for the above.

He needs to be able to automatically and easily move data between all his programs. It's not at all unusual for him to scan a document with PaperPort, then export it to Acrobat, then attach it to email and send. Then he needs to automatically accept a fax and transfer it into PaperPort, so incoming faxes come in with WinFaxPro. Then he needs to transfer data from an email into Homeworks, or Promas. Then he needs to type up a document in WordPerfect (grabbing the address data from his Palm software), send attached to an email, also attaching a document just received via fax or just scanned. Typically he has 6 or more programs all open at once. We just upgraded the RAM so that his computer could handle all this in native Windows2k.

He (which means me, when he has problems) has enough trouble getting everything working nice/nice under Windows. It would be impossible to get it all working seamlessly with some of these applications in Windows inside Linux and others inside Linux itself. If we aren't running at least 1/2 of his applications under Linux itself, I don't see much purpose in running Linux at all.

Is there a Linux program that does what WinFaxPro does (booting at startup, automatically answering incoming faxes, saving in a format that can be exported to Acrobat or PaperPort, automatically forwarding a copy of the fax via email)? Is there a Linux program that does what PaperPort does (scanning and filing all paperwork, then saving the file thru Acrobat or Photoshop, transferring to email or fax or OCR and into WP)?

I'm quite sure that there aren't any Linux programs like Homeworks or ListTrak or Promas (all Real Estate speciality programs required for his business).

So at most, he can use Linux with the Palm software (maybe), a browser (he's already using Mozilla under Win2K, so this isn't a big gain) an email client (he's using Eudora now, and I don't believe they have a Linux version), and Star Office (maybe, if it doesn't crash) for a WordPerfect solution. Except that he really needs to migrate *off* WP and onto Word because he needs to send and receive docs in the format everyone else uses (Word, unfortunately). In many cases he'd have to pay to buy new Linux versions of software he has already purchased for Windows (like Acrobat, Word, Norton Antivirus or the equivalent, with update license) even though some equivalent applications can be had for free (Gimp for Photoshop). Then there's the learning curve, I'm sure that Gimp doesn't work *exactly* like Photoshop, he will have to learn to do things differently. And this assumes all his RE software will run in a Win4Lin environment. Can you say "the vendor doesn't support that" boys and girls? Yeah, I thought you could. A support tech drove from San Jose to Monterey yesterday to install a ListTrak because they have problems installing it on Win2K systems with SP4. There's NFW they would support any of these programs if they were installed under Win4Lin or if we had problems with them running under Win4Lin but they run fine in Windows2k itself.

Oh, and he needs to be able to print from all programs to the HP 3330, which is directly connected to the desktop computer and accessed by the laptop as a Windows network printer. Due to program driver weirdness (particularly with Promas) he has two different instances of this printer installed with two different drivers, he uses one version for some programs, the other version for the others.

The there's the hardware. His desktop box is a el cheapo Compaq Presario desktop computer with 2 different CD drives (one reads, one reads and writes) with an internal zip drive and internal floppy. It also has a modem (months ago I replaced the crappy win-modem with a real one so that WinFaxPro would work) and NIC, has a palm cradle via a serial connection, the HP3300 via USB, a mouse via USB, monitor, keyboard, and speakers.

And it needs to all work simply and easily for his non-technical bookkeeper who comes in only 1 day a week to input the bills and payments. She scans documents into PaperPort, enters data into Promas, makes deposits, cuts checks, and then backsup all the day's data onto the Zip drive.

For some people, the applications needed simply dictate that they use Windoze. My dad has been using WordPerfect since the DR-DOS days (and before that it was Electric Pencil), so he's not a M$ fan by any stretch of the imagination. He can no longer use his favorite scanner (which works Win2k to use the latest versions of all his RE programs. He's pissed at M$ for their crappy software and at the vendors for the forced upgrades, but he can't do without it because the alternatives are much more expensive and less likely to work well together, if they actually work at all. And he needs this to work every day.

So he's stuck between a rock and a hard place, and we just try to secure his Windows system the best we can.

jc

Perhaps, Outlook is a secure and performant email solution - in, say, 3
to 4 years from now, but this means a drastic change of course for the
vendor.

In other news microsoft announced that they stopped development on
Outlook Express.

Pete

Erm.. wasn't me.. though so far I've had 1,787 of the suckers show up in my
personal mailbox. Fortunately, they were defanged by our Mirapoints, so they
were only 2K rather than 80K each

Meanwhile, I've had 52 "You sent us a virus" bounces. I'm pretty sure this
Linux laptop didn't do it.

My favorite so far? Had to be the site whos spamfilter said this: