SBC on strike
by danlor on May.24, 2004, under Technology, Work
Wow. Looks like this week will be fun. SBC is one strike for three days, and we have three lines down. Looks like our phone system that SBC was supposed to install will be put on hold as well. They could be out as long as three months!
At least there is some good news. Our Mailfrontier stopped another few hundred viruses that got through Symantec over the weekend, and on top of that, I got vidication from our “virus protection” out sourcing company.
I have been working with them for over a month now to try and tighten our virus filters. Many strains were getting through, and I felt it was just a matter of time before our luck ran out and our network got leveled. But I kept getting responses like this which was addressed to our department:
…The strong majority of Ben’s emails are actually benign, even though the desktop software recognizes them as a virus. Here’s what is happening:
These viruses are composed of two components: an infectious attachment, and HTML code in the message that uses an IE exploit (http://www.kb.cert.org/vuls/id/980499) to execute the attachment. The NAV gateway processes mail in two stages: first checking for any attachments files to be removed, and then checking for viruses.
It is instructed to remove any file that matches the following patterns:
letter.zip
*.pif
*.scr
*.rar.
These patterns were configured by us to mitigate the most common exploitable attachments.
Once the attachments are processed, the gateway software will then scan the mail with its AV component. Now, because the attachment has already been deleted, the AV component considers it benign and forwards it to the destination. You can corroborate this by viewing the source of the xxxxx@xxxxxx.xxx mails; they have a “DELETED0.TXT” attachment which shows the exploit has been stripped.
After being delivered to the end user, the desktop AV software notices the exploitable HTML (this HTML is in the body of the message, not encoded as an attachment and therefore not stripped) and complains that it has seen a virus. In this case, however, it has only seen the HTML code, not the attachment necessary for the virus to propagate.
I should note that it is possible to disable the attachment scanning and rely only on the AV software, which may make for more thorough cleansing, at the cost of lesser protection. Let us know if you want to try this route.
The true situation is this…
SAV strips Attachment
SAV scans message – Sees no problem
SAV sends message on
Mailfrontier Scans message – Finds exploit scripts
Mailfrontier Blocks message with virus/vulnerablility and redirects it to an external “holding pen” on one of my personal email servers. Now THAT is a dangerous mailbox. I don’t even like to LOOK at it.
Imagine my joy today when the SMTP gateway of our security vendor showed up in my inbox complaining about viruses I had sent to them! Turns out when accessing the “benign” scripts in my inbox, THEY GOT HACKED!!!! The virus harvested their inboxes for email addresses, and then started sending!
I think they learned their lesson. I asked them if they would like to use my consulting service to get a handle on their virus vulnerablilites. 🙂
